3-Valued abstraction: More precision at less cost

Information and Computation 206 (2008) 1313–1333

Contents lists available at ScienceDirect

Information and Computation journal homepage: www.elsevier.com/locate/ic

3-Valued abstraction: More precision at less cost聻 Sharon Shoham ∗, Orna Grumberg Computer Science Department, Technion, Haifa, Israel

A R T I C L E

I N F O

Article history: Received 5 July 2007 Revised 3 July 2008 Available online 12 August 2008

A B S T R A C T

This paper investigates both the precision and the model checking efficiency of abstract models designed to preserve branching time logics w.r.t. a 3-valued semantics. Current abstract models use ordinary transitions to over approximate the concrete transitions, while they use hyper transitions to under approximate the concrete transitions. In this work, we refer to precision measured w.r.t. the choice of abstract states, independently of the formalism used to describe abstract models. We show that current abstract models do not allow maximal precision. We suggest a new class of models and a construction of an abstract model which is most precise w.r.t. any choice of abstract states. As before, the construction of such models might involve an exponential blowup, which is inherent by the use of hyper transitions. We therefore suggest an efficient algorithm in which the abstract model is constructed during model checking, by need. Our algorithm achieves maximal precision w.r.t. the given property while remaining quadratic in the number of abstract states. To complete the picture, we incorporate it into an abstraction-refinement framework. © 2008 Elsevier Inc. All rights reserved.

1. Introduction Abstraction is one of the most successful techniques for fighting the state explosion problem in model checking [2]. Abstractions hide some of the details of the verified system, thus result in smaller models. Most commonly used are state abstractions that collapse (possibly non disjoint) sets of concrete states into abstract states. As such, an abstraction consists of a set of abstract states SA and a mapping (or concretization function) γ that defines the relation between abstract states and the concrete states that they represent. The rest of the components of the concrete model then also need to be lifted into the abstract world, in order to result in an abstract model. This can be done in various ways. When using a 2-valued semantics, abstract models are usually designed to be conservative for true, meaning that truth of a formula is preserved from the abstract model to the concrete model. A greater advantage is obtained if the formula is interpreted w.r.t. a 3-valued semantics [3]. This semantics evaluates a formula to either true, false or indefinite. Abstract models can then be designed to be conservative for both true and false. Only if the value of a formula in the abstract model is indefinite, its value in the concrete model is unknown. We follow this approach. The logic specifications we consider in this paper are formulas of the modal μ-calculus [4]. The modal μ-calculus is a powerful formalism for expressing properties of transition systems using fixpoint operators. In particular, it combines both existential and universal properties. As such, two transition relations are needed in an abstract model for it to be conservative w.r.t. the full μ-calculus (be it over a 2-valued or a 3-valued semantics). Examples of such abstract models are modal transition systems [5,6] or mixed transition systems [7] that contain may transitions which over-approximate transitions of the concrete model, and must transitions, which under-approximate the concrete transitions. To ensure logic preservation, 聻 A preliminary version of this paper appeared in the [1]. * Corresponding author. E-mail addresses: [email protected] (S. Shoham), [email protected] (O. Grumberg). 0890-5401/$ - see front matter © 2008 Elsevier Inc. All rights reserved. doi:10.1016/j.ic.2008.07.004

1314

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

Fig. 1. Illustration of Example 1.1.

truth of universal formulas is then examined over may transitions, whereas truth of existential formulas is examined over must transitions. Dually for falsity when a 3-valued semantics is considered. It was shown in [8,9,10] that must transitions are a source of incompleteness, in the sense that when limited to the use of must transitions, it is not always possible to construct a finite abstract model in which a property holds, even if it holds on the concrete model. Must transitions were also shown to behave badly in refinement in the sense of causing a loss of precision [11]. It was therefore suggested to model the must transitions of an abstract model as hyper transitions, which connect a single state to a set of state. Hyper transitions, first introduced in [12], were shown in [11] to prevent the loss of precision during refinement. They were also shown in [9,10] to result in a complete abstraction framework for the fragment of the μ-calculus defined with greatest fixpoints only ([9] also introduces fairness and hence achieves completeness for the full μ-calculus). Following [11], we refer to such models, defined with may transitions and must hyper transitions, as generalized kripke modal transition systems (GTSs). In this paper, we investigate both the precision of abstract models, and the efficiency of their model checking. We show that GTSs are not yet satisfactory in terms of precision. We suggest how to overcome their imprecision by using may hyper transitions. We then suggest an efficient abstract model checking algorithm that achieves the newly obtained maximal precision while avoiding the exponential blowup inherent by the use of hyper transitions. Precision of an abstract model is measured by the extent to which it enables to verify or falsify formulas. Specifically, given an abstraction (SA ,γ ), it is desirable to construct an abstract model over the states SA in which as many formulas as possible have a definite value (true or false). With this purpose in mind, we address the allegedly non-problematic may transitions. We show that while being good enough for completeness purposes [9,10], they are in fact a source of imprecision. This might sound surprising, yet the explanation is simple: when completeness is investigated, the choice of the abstraction (SA ,γ ) is left open. On the other hand, when precision is investigated, one is interested in how precise the model is for a given abstraction. In order to elaborate further on the imprecision problem we need a more detailed description of abstract models. Typically, to ensure logic preservation, may transitions in an abstract model have to be such that whenever there is a concrete transition from a concrete state sc to a concrete state sc , then every abstract state that represents sc has to have a may transition to some abstract state that represents sc . This is because the may transitions are used to over approximate the concrete transitions. Now, consider the following example. Example 1.1. Suppose that we are interested in verifying the formulas p (“all the successors satisfy p”) and q (“all the successors satisfy q”) in a concrete state sc that has exactly one successor sc satisfying both p and q. Suppose further that we are given an abstraction in which sc is represented by sa , and no other concrete state is represented by sa . Moreover suppose that sc is represented by two abstract states: s1a that satisfies p but has an indefinite value on q, and s2a that satisfies q but has an indefinite value on p. Fig. 1 illustrates this setting. Then at least one of the transitions (sa ,s1a ) or (sa ,s2a ) has to be included as a may transition in the abstract model in order to over approximate the concrete transition from sc to sc . However, choosing the first transition will enable verification of p, but not q, choosing the second will enable the opposite, and including both transitions will prevent verification of both properties. In other words, no choice of a may transition relation will enable verification of both p and q. In particular, none of them will enable to verify p ∧ q. Intuitively, in order to achieve the desired precision in the above example one has to consider both may transitions, but each of them has to be considered separately. We therefore suggest a new class of models, called hyper kripke modal transition systems (HTSs), in which may transitions are also replaced by hyper transitions, with the meaning that each outgoing may hyper transition of an abstract state sa over approximates all the concrete transitions of the states represented by sa , but several different approximations (may hyper transitions) can be used. Other possible solutions involve changing the abstract state space, for example by some kind of completion that improves the states precision (e.g. [13,14]). However, in this work we do not follow such solutions since we wish to “make the most” of the given abstract states. Using HTSs as abstract models solves the problem demonstrated by Example 1.1, but one may wonder if there are other imprecision sources that HTSs do not address. To answer this question and justify the use of HTSs as abstract models we show how to construct, given any abstraction, an HTS which is as precise as the abstraction allows. We formalize this by introducing a new notion of precision which only depends on the abstraction (SA ,γ ) itself and not on the class of abstract

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1315

models. This enables us to claim that the constructed HTS is as precise as possible, among all possible abstract models with a standard 3-valued semantics. HTSs therefore settle the issue of precision, as they allow maximal precision. Yet, in terms of efficiency, their use only increases the problem which already exists in GTSs due to the must hyper transitions: in general, the number of hypertransitions might be exponential in the number of states in the abstract model. Thus, the need to handle hyper transitions makes both the construction of an abstract model and its model checking computationally expensive. This problem was already addressed in [11] with respect to must hyper transitions. They suggested an automatic construction of abstract GTSs within an abstraction-refinement framework for CTL. Their algorithm starts with some initial model which consists of (mostly) ordinary transitions. Then, during refinement, when the abstract states are split, instead of computing all must hyper transitions, they “learn” must hyper transitions from must transitions (and hyper transitions) that existed in the previous iteration. Thus, in many cases they avoid the exponential blowup. The approach of [11] suffers from several disadvantages. First, it only works as part of an abstraction-refinement loop. More importantly, the produced must hyper transitions are not necessarily the ones that are needed in practice for a specific proof. Some of them might be redundant, as they are irrelevant for proving the desired property, whereas others which are needed to verify the desired property might not be produced, making the model not precise enough. We wish to obtain efficiency without compromising the precision that an HTS enables to get. We achieve this goal for the alternation free fragment of the μ-calculus. The ability to do this results from the fact that the precise HTS is precise w.r.t. every μ-calculus formula, whereas we are only interested in one particular (alternation-free) formula. This can be exploited to save unnecessary efforts. Suppose, for example, that we wish to check the formula ♦p (“there is a successor that satisfies p”) in an abstract state sa , for which the number of outgoing must hyper-transitions in the precise HTS is exponential in the number of states. If we want the abstract model to be as precise as possible w.r.t every μ-calculus formula, we might need to consider all of the hyper transitions (or at least the minimal ones). However, for the verification of ♦p in sa it suffices to consider a single must hyper transition (under approximation), in which all the target states satisfy p. In other words, w.r.t. the particular formula, a HTS that contains only the relevant must hyper transition is as precise as the precise HTS. Similar reasoning applies to may hyper transitions. The question is how to find these designated hyper transitions and avoid the computation of the rest. The key idea is to construct the HTS during the model checking, and thus avoid the (exponential) construction of the precise HTS. We use the model checking to guide the computation of hyper transitions, by checking for the existence of hyper transitions only when needed. We obtain an automatic construction of an abstract model which is as precise as the precise HTS w.r.t. the property of interest, along with a model checking algorithm with complexity O(|SA |2 × |ϕ|). This is comparable to the model checking complexity of the alternation free μ-calculus over models limited to ordinary transitions (recall that the number of ordinary transitions over |SA | states is O(|SA |2 )), except that our algorithm also ensures maximal precision. We emphasize that while may hyper transitions are not always necessary for maximal precision, must hyper transitions are in fact mandatory for completeness. This demonstrates the importance of such an algorithm, which handles both may and must hyper transitions efficiently. Moreover, our approach can be beneficial even in cases where ordinary transitions suffice for the construction of a precise abstract model for a formula. This is because such constructions are usually expensive as they require finding best approximations of the concrete transitions (e.g. [7]). In our approach, instead of computing best approximations, the model checking algorithm wisely chooses candidates for which we perform the simpler task of checking if the given candidate is a correct approximation—not necessarily the best one. To complete the discussion, we show how to use our abstract model checking within an abstraction-refinement framework, and show that the refinement has the desirable property of monotonicity, meaning that the precision of an abstract model never decreases as a result of refinement. To sum up, the main contributions of this paper are: • New simple definition of precision of abstract models, which measures the precision w.r.t. the abstraction (SA ,γ ), independently of the class of models used. • New class of abstract models and a construction of an abstract model of this class which is precise w.r.t. any given abstraction. • New abstract model checking algorithm for the alternation free μ-calculus that achieves maximal precision for a given formula, while remaining quadratic in the number of abstract states. This algorithm results in a more precise abstractionrefinement framework. Related work. Precision of modal (or mixed) transition systems, with ordinary may and must transitions, is studied in [15,7,16]. They suggest constructions of such abstract models which are most precise among all models from this specific class. In [11] GTSs are considered. They suggest a construction of an abstract GTS (with must hyper transitions) and show that it is most precise among all models produced by a specific construction method. In contrast to the above, we define a general notion of precision, which is independent not only of the construction method, but also of the class of abstract models. A similar approach is taken in [17]. They refer to multi-valued concrete models and use an abstract semantics which is more general than the 3-valued semantics. They also define precision w.r.t. the abstraction itself, but then use (multi-valued) transition systems as abstract models, which causes a loss of precision. Our work, on the other hand, suggests a class of

1316

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

models that achieves maximal precision for the case of 2-valued concrete models. Moreover, [17] defines precision within the framework of abstract interpretation [18] and assumes that every set of concrete states has a unique most precise abstract state that describes it. We do not impose any restrictions on the abstraction and provide a simple, “stand alone”, definition of precision. The work of [10] also measures the precision of an abstract model by comparison to the precision of the abstraction. They define the precision of an abstraction (SA ,γ ) in terms of a game over the concrete model. Their definition considers abstract states as precise in less cases than our definition. In particular, the abstract state sa from Example 1.1 is not considered precise for p by their definition (when translating it to logic terms), although as demonstrated by Example 1.1, it does carry enough information to verify p in the (only) concrete state it represents. Using this stronger definition they show that the construction of an abstract GTS, which is also suggested in [11], results in a precise abstract model. This is in contrast to our result that shows that GTSs do not allow maximal precision, since we measure the precision of a model compared to a more general definition of precision of an abstraction. As a consequence, when pursuing precision w.r.t. our definition, we get abstract models which are strictly more precise. They thus allow to verify and falsify more properties of the concrete model. Ref. [19] refers to precision with a different motivation. They suggest how to define the abstraction (SA ,γ ) after refinement in order to maintain precision of an abstract model after refinement. Thus, they measure precision only w.r.t. the precision before refinement and not independently. A different approach to precision, pursued in [20,21], uses a more precise 3-valued semantics, referred to as the thorough semantics. This semantics gives more definite answers than the standard 3-valued semantics, at the expense of increasing the complexity of model checking. Namely, the resulting model checking problem has the same complexity as satisfiability. We are interested in an effective framework, thus we use the standard 3-valued semantics, which is less precise, but enjoys a better model checking complexity. We note that the imprecision problem described in this paper still exists even if the thorough semantics is used. Namely, the thorough semantics evaluates a formula in an abstract model depending on its value in all possible (consistent) concretizations of the abstract model. This is in general more precise than the standard (inductive) semantics which might implicitly consider inconsistent underlying concrete models. However, the described problem results from the imprecision of the abstract model itself, meaning that undesired concrete models are included as part of its “real” concretizations. Thus, even the thorough semantics, which considers only the real concretizations, does not help to overcome the imprecision. May hyper transitions resemble the de-focus operations of [9], just like must hyper transitions resemble the focus operations. However, the focus and de-focus operations of [9] are used in the evaluation of ∨ and ∧-formulas. We use the standard semantics for ∨ and ∧, which does not depend on the underlying model. Instead, we use may and must hyper transitions in the evaluation of  and ♦-formulas, where the transitions of the underlying model need to be considered. In addition, in [9] the authors are interested in completeness and do not refer to the precision or model checking cost of the suggested class of models. In terms of model checking in the presence of hyper transitions, [10] shows that the model checking problem for GTSs is reducible to concrete model checking in linear time (and logarithmic space) in the size of the GTS. Yet, the GTS itself might be of size exponential in the size of the abstract state space SA (due to the existence of hyper transitions). Thus the overall complexity is exponential. Our approach in which we construct the abstract model during the model checking has some resemblance to the work of [22]. They perform reachability analysis, where they execute the concrete transitions, while storing abstract versions of the concrete states that are visited. Their approach is limited to falsification of safety properties, as they consider only an under approximation of the concrete model. Our work, on the other hand, is suitable for any property expressed in the alternation free μ-calculus, and is based on a 3-valued setting which enables both verification and falsification. Organization of the paper. The μ-calculus and the 3-valued abstraction framework are introduced in Section 2. In Section 3, precision of 3-valued abstract models is defined and investigated. The class of hyper kripke modal transition systems (HTSs) is introduced and a precise construction of a HTS is provided. Section 4 refers to the model checking efficiency of HTSs. An efficient abstract model checking algorithm for the alternation-free μ-calculus, which avoids the exponential blowup inherent by the use of hyper transitions, is suggested. This algorithm is incorporated into a monotonic abstraction-refinement framework in Section 5. We conclude in Section 6. In Appendix A, we consider concrete systems with multiple initial states, and show that similar imprecision and efficiency questions arise, and are settled by similar techniques. 2. Preliminaries μ-calculus [4]. Let AP be a finite set of atomic propositions and V a set of propositional variables. We define the set Lit of literals over AP to be the set AP ∪ {¬p : p ∈ AP}. We identify ¬¬p with p. The logic μ-calculus in negation normal form is defined as follows: ϕ ::= true | false | l | Z | ϕ ∧ ϕ | ϕ ∨ ϕ |

ϕ | ♦ϕ | μZ.ϕ | νZ.ϕ

where l ∈ Lit and Z ∈ V . μ denotes a least fixpoint, whereas ν denotes greatest fixpoint. Let Lμ denote the set of closed formulas generated by the above grammar, where the fixpoint quantifiers μ and ν are variable binders. We will also write η for either μ or ν. Furthermore we assume that formulas are well-named, i.e., no variable is bound more than once in any

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1317

formula. Thus, every variable Z identifies a unique subformula fp(Z) = ηZ.ψ of ϕ, where the set Sub(ϕ) of subformulas of ϕ is defined in the usual way. We also consider the alternation-free fragment of the μ-calculus, denoted L0μ , where no nesting of fixpoints is allowed. Namely, ϕ ∈ L0μ if for every subformula ηZ.ψ ∈ Sub(ϕ), no variable other than Z occurs freely in ψ. For a formula ηZ.ψ, we denote by ψ i the unwinding of the fixpoint formula i times. Formally,  ψ0 =

false true

if η = μ if η = ν

and ψ i+1 = ψ[Z := ψ i ]. Concrete semantics. Concrete systems are typically modelled as Kripke structures. A Kripke structure [2] is a tuple M = (S,R,L), where S is a (possibly infinite) set of states, R ⊆ S × S is a transition relation, which must be total, and L : S → 2Lit is a labeling function, such that for every state s and every p ∈ AP, exactly one of p and ¬p is in L(s). The concrete semantics [[ϕ]]M of ϕ ∈ Lμ w.r.t. a Kripke structure M = (S,R,L) is an element of 2S . The semantics is defined inductively. To handle subformulas which are not closed, an environment ρ : V → 2S , which explains the meaning of free variables, is introduced. [[ϕ]]M,ρ is defined inductively, for every μ-calculus formula. For g ∈ 2S , we denote with ρ[Z → g] the environment that maps Z to g and agrees with ρ on all other arguments. In the following definition f = λg.[[ϕ]]M,ρ[Z →g] is an element of 2S → 2S and gfp(f ), lfp(f ) stand for the greatest and least fixpoints of f . These fixpoints exist according to [23], since the elements in 2S form a complete lattice under set inclusion ordering and the functional f is monotone w.r.t. this ordering. := S [[true]]M,ρ := ∅ [[false]]M,ρ := {s | l ∈ L(s)} [[l]]M,ρ M,ρ [[ϕ]] := {s | ∀s , if sRs then s ∈ [[ϕ]]M,ρ } := {s | ∃s s.t. sRs and s ∈ [[ϕ]]M,ρ } [[♦ϕ]]M,ρ M,ρ := [[ϕ1 ]]M,ρ ∩ [[ϕ2 ]]M,ρ [[ϕ1 ∧ ϕ2 ]] [[ϕ1 ∨ ϕ2 ]]M,ρ := [[ϕ1 ]]M,ρ ∪ [[ϕ2 ]]M,ρ [[Z]]M,ρ := ρ(Z) := lfp(λg.[[ϕ]]M,ρ[Z →g] ) [[μZ.ϕ]]M,ρ M,ρ := gfp(λg.[[ϕ]]M,ρ[Z →g] ) [[νZ.ϕ]] Intuitively, in this context  stands for “all successors”, whereas ♦ stands for “exists a successor”.  Note that for a closed formula ϕ, [[ϕ]]M,ρ = [[ϕ]]M,ρ , for any environments ρ,ρ  . Thus, when closed formulas are considered, we drop the environment from the semantic brackets, and simply refer to [[ϕ]]M . [[ϕ]]M ⊆ S can also be viewed as a mapping S → {tt,ff}. As such, for a closed formula ϕ ∈ Lμ , we sometimes write [[ϕ]]M (s) = tt instead of s ∈ [[ϕ]]M . Similarly, we write [[ϕ]]M (s) = ff instead of s ∈ [[ϕ]]M . [[ϕ]]M (s) = tt (= ff) means that the formula ϕ is true (false) in the state s of the Kripke structure M. 2.1. Abstraction framework Let MC be a concrete Kripke structure with a set of concrete states SC . An abstraction (SA ,γ ) for SC consists of a finite set of abstract states SA and a total concretization function γ : SA → 2SC that maps each abstract state to the (nonempty) set of concrete states it represents. Every sc ∈ SC is represented by some sa ∈ SA . The abstract states provide descriptions of the concrete states. The other components of the model MC then also need to be lifted into the abstract world. Several classes of abstract models have been suggested for this purpose. A class of models consists of some form of a transition system. It is accompanied with a semantics for the logic of interest, in our case the μ-calculus, over models from the class, and some preservation relation  between states that ensures preservation of the logic. An abstract model for MC is then a model MA from the class, over SA , in which (MC ,sc )  (MA ,sa ) whenever sc ∈ γ (sa ). We are particularly interested in classes of abstract models that use a 3-valued semantics. The 3-valued semantics [3] of a formula in a model M enables preservation of both satisfaction (tt) and refutation (ff) from an abstract model to the concrete one. In addition, a new truth value, ⊥, is introduced, meaning that the truth value over the concrete model is unknown and can be either tt or ff. Such a 3-valued semantics was suggested for various classes of abstract models (e.g. [24,25,11]). We define a generic 3-valued semantics that generalizes these definitions. We refer to classes of models defined with such a 3-valued semantics, where the preservation relation ensures preservation of both tt and ff, as 3-valued classes. M A 3-valued class defines, for each model M from the class, sets lM ∈ 2S , for every l ∈ Lit, and operators  ,♦M : 2S → 2S . These definitions are given in terms of the components of M (e.g. abstract transitions and labeling), with the requirements M that lM and (¬l)M are disjoint and the operators  and ♦M are monotone w.r.t. set inclusion. The 3-valued semantics for the class is then defined based on Kleene’s 3-valued logic for ∧ and ∨, and with the standard definition for fixpoints. Only the definition for formulas of the form l ∈ Lit, ψ, and ♦ψ depends on the particular class of M.

1318

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333 M,ρ

Definition 2.1 (Generic 3-valued semantics). Let M be a model from a 3-valued class. The tt-set [[ϕ]]tt ⊆ S of a μ-calculus formula ϕ over M and an environment ρ : V → 2S is defined inductively similarly to the concrete semantics, except that the M,ρ definition for formulas of the form l ∈ Lit, ψ, or ♦ψ depends on the particular class of M. The ff-set [[ϕ]] ⊆ S over M and ff an environment ρ is defined dually. Specifically, M,ρ M,ρ [[true]] := ∅ := S [[true]]tt ff M,ρ

[[false]]tt M,ρ

[[l]]tt

[[ϕ]]tt

M,ρ

M,ρ

∅

:=

lM

[[l]]

:=

M ([[ϕ]]M,ρ tt )

[[ϕ]]

M,ρ

ff

M,ρ

ff M,ρ

ff

:=

M,ρ ♦M ([[ϕ]] )

M,ρ

:=

M,ρ

M,ρ

[[ϕ1 ]]tt ∩ [[ϕ2 ]]tt

[[ϕ1 ∧ ϕ2 ]] ff

M,ρ

:=

[[ϕ1 ]]tt ∪ [[ϕ2 ]]tt

M,ρ

M,ρ

:=

ρ(Z)

[[Z]]

[[♦ϕ]]tt

[[ϕ1 ∧ ϕ2 ]]tt [[ϕ1 ∨ ϕ2 ]]tt M,ρ

[[Z]]tt

M,ρ

[[μZ.ϕ]]tt

M,ρ

[[νZ.ϕ]]tt M,ρ

[[false]]

:=

M,ρ[Z →g]

:=

lfp(λg.[[ϕ]]tt

)

M,ρ[Z →g]

:=

M,ρ 

[[♦ϕ]]

tt

gfp(λg.[[ϕ]]tt M,ρ

)

M,ρ

ff

:=

S

:=

(¬l)M

:=

♦M ([[ϕ]]

:=

 ([[ϕ]] M

M,ρ

ff

)

M,ρ

ff

)

M,ρ

:=

[[ϕ1 ]] ∪ [[ϕ2 ]] ff ff

[[ϕ1 ∨ ϕ2 ]] ff

M,ρ

:=

[[ϕ1 ]] ∩ [[ϕ2 ]] ff ff

M,ρ

:=

ρ(Z)

:=

gfp(λg.[[ϕ]]

ff

[[μZ.ϕ]] [[νZ.ϕ]]

M,ρ

ff

M,ρ

ff

:=

M,ρ

M,ρ

M,ρ

M,ρ

lfp(λg.[[ϕ]]

If ϕ is a closed formula, then

M,ρ[Z →g]

ff

M,ρ[Z →g]

ff

)

)

M,ρ 

= [[ϕ]] , for any environments ρ,ρ  . Thus, when closed formulas are considered, we drop ff ff the environment from the semantic brackets. M M If for every ϕ ∈ Lμ , [[ϕ]]M tt ∩ [[ϕ]]ff = ∅, then M is consistent. The 3-valued semantics of ϕ ∈ Lμ over M, denoted [[ϕ]]3 , is then defined to be a mapping S → {tt,ff, ⊥}: [[ϕ]]tt = [[ϕ]]tt , and [[ϕ]]

⎧ tt ⎪ ⎪ ⎨ M [[ϕ]]3 (s) = ff ⎪ ⎪ ⎩ ⊥

if s ∈ [[ϕ]]M tt if s ∈ [[ϕ]]M ff otherwise

Note that if M is an abstract model, preservation of both tt and ff of the Lμ from M to the concrete model guarantees that M is consistent. An example of a 3-valued class of models is the class of Generalized Kripke Modal Transition Systems described below with generalized mixed simulation as a relation that ensures logic preservation. Generalized Kripke modal transition systems. Definition 2.2. Given a set of states S, a hyper-transition is a pair (s,A) where s ∈ S and A ⊆ S is a nonempty set.

Definition 2.3 [11]. A generalized Kripke modal transition system (GTS) is a tuple M = (S,R+ ,R− ,L), where S is defined as before, R− ,R+ are may and must transition relations s.t. R− ⊆ S × S is total and R+ ⊆ S × 2S . L : S → 2Lit is a labeling function s.t. for every state s and p ∈ AP, at most one of p and ¬p is in L(s). 3-Valued semantics for GTSs. For a GTS M = (S,R+ ,R− ,L), we define lM , ,♦M as follows. For every l ∈ Lit, lM = {s | l ∈ L(s)}. M For every U ⊆ S:  (U) = {s | ∀t ∈ S, if sR− t then t ∈ U}, and ♦M (U) = {s | ∃A ⊆ S s.t. sR+ A and A ⊆ U}. When integrated into Definition 2.1 this results in a 3-valued semantics. In particular, for a consistent GTS the definition for closed formulas of the form l ∈ Lit, ψ or ♦ψ results in M

[[l]]M 3 (s) = tt if l ∈ L(s),ff if ¬l ∈ L(s), and ⊥ otherwise. ⎧ tt ⎪ ⎪ ⎨ ff M [[ψ]]3 (s) = ⎪ ⎪ ⎩ ⊥

if ∀t ∈ S, if sR− t then [[ψ]]M 3 (t) = tt if ∃A ⊆ S s.t. sR+ A and ∀t ∈ A : [[ψ]]M 3 (t) = ff otherwise

[[♦ψ]]M 3 (s) is defined dually when exchanging tt with ff.

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1319

Definition 2.4 (Generalized mixed simulation [11]). Let M1 = (S1 ,R1+ ,R1− ,L1 ) and M2 = (S2 ,R2+ ,R2− ,L2 ) be two GTSs. We say that H ⊆ S1 × S2 is a generalized mixed simulation from M1 to M2 if (s1 ,s2 ) ∈ H implies: (1) L2 (s2 ) ⊆ L1 (s1 ); (2) if s1 R1− s1 , then there is some s2 ∈ S2 s.t. s2 R2− s2 and (s1 ,s2 ) ∈ H; (3) if s2 R2+ A2 , then there is some A1 ⊆ S1 s.t. s1 R1+ A1 and (A1 ,A2 ) ∈ H ∀∃ , where (A1 ,A2 ) ∈ H ∀∃ ⇔ ∀s1 ∈ A1 ∃s2 ∈ A2 : (s1 ,s2 ) ∈ H. If there is a generalized mixed simulation H such that (s1 ,s2 ) ∈ H, we write (M1 ,s1 )  (M2 ,s2 ). In particular, Definition 2.4 can be applied to a (concrete) Kripke structure MC and an (abstract) GTS MA , by viewing the Kripke structure as a GTS where R− = R, R+ = {(s,{s }) | (s,s ) ∈ R}. For a Kripke structure the 3-valued semantics agrees with the concrete semantics. Thus, preservation of Lμ formulas is guaranteed by the following theorem, which is adapted from [11] to Lμ . M

Theorem 2.5. For GTSs M1 and M2 with states s1 and s2 ,resp., if (M1 ,s1 )  (M2 ,s2 ) then for every ϕ ∈ Lμ : s2 ∈ [[ϕ]]tt2 ⇒ s1 ∈ M

[[ϕ]]tt1 , and s2 ∈ [[ϕ]]

M2

ff

⇒ s1 ∈ [[ϕ]]

M1

ff

.

Construction of an abstract GTS. Let MC = (SC ,R,LC ) be a (concrete) Kripke structure and (SA ,γ ) an abstraction for SC . An abstract GTS MA = (SA ,R+ ,R− ,LA ) can be constructed as follows [11]. The labeling of an abstract state is defined in accord with the labeling of all the concrete states it represents. For l ∈ Lit, l ∈ LA (sa ) only if ∀sc if sc ∈ γ (sa ) then l ∈ LC (sc ). It is thus possible that neither p nor ¬p are in LA (sa ). The may transitions are computed by an [∃∃] rule such that every concrete transition is represented by them: ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc ⇒ sa R− sa The must hyper transitions, on the other hand, represent concrete transitions that are common to all the concrete states represented by the source abstract state. They are computed by an [∀∃∃] rule: ∀sc ∈ γ (sa ) ∃sa ∈ Aa ∃sc ∈ γ (sa ) s.t. sc Rsc ⇐ sa R+ Aa Exact GTS. If the three implications above are replaced by “iff”, then the labeling, may transitions and must hyper transitions are exact, resulting in the exact GTS.1 Other constructions of abstract GTSs can also be suggested. For example, the construction of a mixed transition system from [7] within the framework of abstract interpretation can be extended to GTSs as well (see Section 3.2). All the above constructions assure us that whenever sc ∈ γ (sa ), then (MC ,sc )  (MA ,sa ). The generalized mixed simulation H ⊆ SC × SA is induced by γ as follows: (sc ,sa ) ∈ H iff sc ∈ γ (sa ). Therefore, Theorem 2.5 guarantees preservation of Lμ from MA to MC . For example, the exact GTS for the (partial) Kripke structure from Example 1.1 includes two may transitions: (sa ,s1a ) and (sa ,s2a ), computed by the ∃∃ rule, and four must hyper transitions: (sa ,{s1a }), (sa ,{s2a }), (sa ,{s1a ,s2a }) and (sa ,{s1a ,s2a ,sa }), computed by the ∀∃∃ rule. Moreover, s1a is labeled p, while s2a is labeled q. This construction ensures the existence of a generalized mixed simulation relation H ⊆ SC × SA such that {(sc ,sa ),(sc ,s1a ),(sc ,s2a )} ⊆ H. For example, for the pair (sc ,sa ) ∈ H, requirement 2 of the generalized mixed simulation requires that sa has a may transition that corresponds to the transition sc Rsc . Either one of the may transitions sa R− s1a or sa R− s2a fulfills this requirement. Requirement 3 requires that each of the must hyper transitions of sa has a corresponding (hyper) transition in the concrete model. The (only) transition of sc to sc satisfies this requirement, when we view it as a hyper transition whose target set is the singleton consisting of sc . Remark 2.6 (Consistency). In the definition of the generic 3-valued semantics (Definition 2.1), the need to first separately define the tt-sets and the ff-sets of μ-calculus formulas arises since in the general case, if the 3-valued model at hand is inconsistent, the value of a formula in a state of the model can be both tt and ff, resulting in a 4-valued semantics. In some cases, consistency is ensured by some “syntactic” condition which is added to the 3-valued class and prevents such a scenario. In such cases, the 3-valued semantics can immediately be defined as a mapping S → {tt,ff, ⊥}, without the need to first define the tt-sets and the ff-sets separately. For example, when talking about GTSs, a requirement that the must (hyper) transitions are included in the may transitions is sometimes added. This means that if sR+ A, then for every s ∈ A, sR− s holds too. Such a requirement ensures consistency. M More generally, this requirement ensures that if U1 ,U2 ⊆ S are disjoint sets, then  (U1 ) ∩ ♦M (U2 ) = ∅, which ensures (by M M induction) that for every ϕ ∈ Lμ , [[ϕ]]tt ∩ [[ϕ]] = ∅. ff One could think of requiring an equivalent requirement from any 3-valued class in order to ensure consistency. However, such a requirement also restricts the expressiveness of the models. For example, when extending the constructions of [7] to GTSs, the resulting abstract models do not maintain this requirement, even though they are consistent. These construcM tionsonly ensure that if U1 and U2 represent disjoint sets of concrete states then  (U1 ) ∩ ♦M (U2 ) = ∅. This is a sufficient 1

The term “exact” reflects the fact that the implications are exact. It should not be confused with the notion of precision.

1320

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

condition for consistency. Yet, since it involves the underlying concrete states, it cannot be used in the more general context. Thus, we do not add such restrictions. This allows the consideration of more expressive classes of models, at the price of complicating the semantics and allowing the value of a formula in a state to be both tt and ff. However, as explained above, when considering an abstract model, consistency is ensured, and a 3-valued semantics is obtained.

3. Increasing precision Let MC be a concrete Kripke structure. In this section, we are interested in the precision of the abstract model constructed for MC with a given abstraction (SA ,γ ). Specifically, in Section 2 we described GTSs as a class of abstract models, along with constructions of abstract models from this class. We now ask the following questions: (1) Do the constructions of GTSs from Section 2 produce the most precise abstract model that we can hope for, given an abstraction? and more fundamentally: (2) Does the use of GTSs enable to express the most precise abstract model? Of course, to answer these questions we first need to define what the most precise abstract model that we can hope for is, given an abstraction. We measure precision with respect to a 3-valued semantics. We therefore restrict the discussion to abstract models from 3-valued classes. 3.1. Precision of abstract models We wish to capture maximal precision within the boundaries of the inductive 3-valued semantics as defined in Definition 2.1. When using this semantics, the verification or refutation of any Lμ formula over an abstract model MA boils down to

manipulations of lMA ,  A (UA ), and ♦MA (UA ) for various l ∈ Lit and UA ⊆ SA . We therefore view a set UA ⊆ SA as a new formula  with the following semantics. Let γ (UA ) stand for sa ∈UA γ (sa ). Then in a concrete model MC , [[UA ]]MC = {sc | sc ∈ γ (UA )}. In an M

M

abstract model MA (from a 3-valued class), [[UA ]]ttA = UA . As such,  M

MA

M

M

(UA ) = [[UA ]]ttA , and ♦MA (UA ) = [[♦UA ]]ttA . In addition,

recall that lMA = [[l]]ttA . This makes the tt-sets of formulas of the form l, UA , and ♦UA over MA the building blocks of any model checking problem over MA . As such, the precision of MA is determined by its precision w.r.t. truth of such formulas. In the spirit of [10] we first define the precision of an abstraction w.r.t. such formulas. This is the precision that a precise abstract model will then be expected to match. Definition 3.1 (Precision of abstractions). Given an abstraction (SA ,γ ) for MC and a state sa ∈ SA , we say that sa fulfills ϕ = l,

UA or ♦UA , for l ∈ Lit and UA ⊆ SA , if ∀sc ∈ γ (sa ) : [[ϕ]]MC (sc ) = tt (i.e., sc ∈ [[ϕ]]MC ).

Note that this definition is independent of the class of abstract models, as it is meant to capture the precision of the abstraction itself, in terms of the information carried within the abstract states. For example, for the abstraction to reflect the fact that UA holds in an abstract state sa (meaning it holds in all the concrete states it represents), it has to be the case that all the concrete states in γ (sa ) share the property that all of their outgoing (concrete) transitions are to γ (UA ), which is the “description” of UA in the concrete world. Definition 3.2. Let MA be an abstract model (from some 3-valued class) over a set of abstract states SA , and let UA ⊆ SA . We M M say that UA is definable by Lμ in MA if UA = [[ϕ]]ttA or UA = [[ϕ]] A for some ϕ ∈ Lμ . ff Definition 3.3 (Precision of models). An abstract model MA for MC (from some 3-valued class) is precise w.r.t. (SA ,γ ) if for all M sa ∈ SA , l ∈ Lit and UA ⊆ SA which is definable by Lμ in MA : whenever sa fulfills ϕ = l, UA or ♦UA , then sa ∈ [[ϕ]]ttA . Thus whenever the information about l, UA , or ♦UA exists in the abstract states, a precise abstract model enables to see that. Note that we restrict the requirements of precision to sets UA which are definable by some μ-calculus formula, since these are the sets that arise in the verification or falsification of Lμ formulas. To formalize the generality of Definition 3.3, we extend Definition 3.1 to more complicated formulas and to falsification, following the 3-valued semantics. We then show that whenever an abstract model is precise w.r.t. truth of l,UA ,♦UA , it is also precise w.r.t. any other formula. Definition 3.4. Let A = (SA ,γ ) be an abstraction. We define an abstract semantics [[ϕ]]A 3 by using the generic 3-valued semanA

tics (see Definition 2.1) with the following definitions of lA ∈ 2SA , and  ,♦A : 2SA → 2SA . For l ∈ Lit: lA = {sa | sa fulfills l}. A For UA ⊆ SA :  (UA ) = {sa | sa fulfills UA }, and ♦A (UA ) = {sa | sa fulfills ♦UA }. We say that sa ∈ SA enables verification (falsification) of ϕ ∈ Lμ if [[ϕ]]A 3 (sa ) = tt (ff). A

Note that lA , 

and ♦A satisfy the requirements of Definition 2.1. Namely, lA and (¬l)A aredisjoint and the operators

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1321

A and ♦A are monotone w.r.t. set inclusion. The latter holds due to the monotonicity of the concrete  and ♦ operators w.r.t. ⊆ and since for UA ⊆ UA , we have that γ (UA ) ⊆ γ (UA ). This ensures that if sa fulfills UA and UA ⊆ UA , then sa also fulfills UA , and similarly for ♦.

A A A Recall that by Definition 2.1, [[ϕ]]A 3 (sa ) = tt if sa ∈ [[ϕ]]tt , and [[ϕ]]3 (sa ) = ff if sa ∈ [[ϕ]]ff . The abstract semantics is well A MC A A defined since whenever sa ∈ [[ϕ]]A tt (resp., [[ϕ]]ff ), then ∀sc ∈ γ (sa ) : [[ϕ]] (sc ) = tt (resp., ff). This ensures that [[ϕ]]tt ∩ [[ϕ]]ff = ∅. For example, by this definition sa enables verification of ϕ = ψ iff sa fulfills UA for some UA ⊆ SA such that every sa ∈ UA enables verification of ψ.

Theorem 3.5. Let MA be an abstract model for MC (from some 3-valued class) which is precise w.r.t. (SA ,γ ). Then whenever sa ∈ SA M enables verification (falsification) of ϕ ∈ Lμ , then [[ϕ]]3 A (sa ) = tt (ff). M

Note that [[ϕ]]3 A is well-defined since MA is an abstract model for MC , thus it is consistent. M

A Proof. We prove that if sa enables verification of ϕ, i.e., [[ϕ]]A tt (sa ) = tt then [[ϕ]]3 (sa ) = tt. The proof for falsification is implied

M

M

since the 3-valued semantics ensures that [[ϕ]]3 A (sa ) = ff iff [[¬ϕ]]3 A (sa ) = tt, and similarly for the abstract semantics, where ¬ϕ stands for the formula resulting by pushing the negation to the literals, while exchanging true with false, ∧ with ∨,  with ♦, and μ with ν. MA More specifically, we prove that if sa ∈ [[ϕ]]A tt , then sa ∈ [[ϕ]]tt . We refer to (closed) fixpoint-free formulas. This is justified by the property that the abstract set of states SA is finite: A variation of the Knaster–Tarski theorem [23] implies that when the set of states is finite, then for a formula ηZ.ψ and an environment ρ, there exists j ∈ N such that for every i  j: M ,ρ

[[ηZ.ψ]]ttA

M ,ρ

= [[ψ i ]]ttA , where ψ i denotes the unwinding of the fixpoint formula i times. Similarly, for the abstract semantics, A,ρ

A,ρ

it holds that there exists j ∈ N such that for every i  j : [[ηZ.ψ]]tt = [[ψ i ]]tt . j and j might be different, but both are bounded by |SA |. Applying this argument recursively with a sufficiently large number of unwindings (e.g. i = |SA |) for each fixpoint subformula implies that any formula ϕ ∈ Lμ is equivalent to a (closed) fixpoint-free formula ϕ  w.r.t. both MA and

 A the abstract semantics, in the sense that [[ϕ]]ttA = [[ϕ  ]]ttA , and in addition [[ϕ]]A tt = [[ϕ ]]tt . Therefore, it suffices to refer to fixpoint-free formulas in the proof. The proof is by induction on the structure of fixpoint-free μ-calculus formulas. The interesting cases are when ϕ = l ∈ Lit, MA ,ρ ,ρ ψ, or ♦ψ. The remaining cases are immediate as both [[ϕ]]A tt and [[ϕ]]tt are defined according to the generic 3-valued semantics. M

M

A A A • If ϕ = l ∈ Lit and sa ∈ [[l]]A tt , then since [[l]]tt = l and by the definition of l we conclude that sa fulfills l. Thus by the

M

definition of a precise model sa ∈ [[l]]ttA . A

A

M

A  A • Suppose sa ∈ [[ψ]]tt . This means that sa ∈  ([[ψ]]A tt ). Let UA = [[ψ]]tt and UA = [[ψ]]tt . By the induction hypothesis for MA A A A     ψ, for every such sa ∈ UA = [[ψ]]tt , we have that sa ∈ [[ψ]]tt = UA . Thus UA ⊆ UA . Recall that sa ∈  ([[ψ]]A tt ) =  (UA ). A

By the monotonicity of 

A

w.r.t. set inclusion, we conclude that sa ∈  (UA ). This means that sa fulfills UA . Moreover, M

M

by its definition, UA is definable by Lμ in MA (since UA = [[ψ]]ttA ). Thus, by the definition of a precise model sa ∈ [[UA ]]ttA , M ([[UA ]]ttA )

meaning that sa ∈  case of ϕ = ♦ψ is similar. MA



=

MA

(UA )

=

MA

MA

MA

([[ψ]]tt ). Thus, by the 3-valued semantics sa ∈ [[ψ]]tt as well. The

The following theorem ensures that an abstract model which is precise w.r.t. the abstraction is also most precise when compared to other abstract models, provided that their class has the following property. Definition 3.6. A 3-valued class of models is structural if its definitions of  ,♦M : 2SA → 2SA ensure that for every UA ⊆ SA , M whenever sa ∈  (UA ), then for every sc ∈ γ (sa ) all the concrete successors of sc are in γ (UA ). Similarly, whenever sa ∈ ♦M (UA ), then every sc ∈ γ (sa ) has a successor in γ (UA ). M

Note that for every UA ⊆ SA which is equal to [[ϕ]]M tt for some ϕ ∈ Lμ , the conditions of Definition 3.6 are guaranteed to M M hold, since in this case  (UA ) = [[ϕ]]tt , and similarly ♦M (UA ) = [[♦ϕ]]M tt . Thus the conditions are implied by the preservation guarantee of the class. However, for a class to be structural, we require that these conditions hold for every UA ⊆ SA . M Intuitively, for  and ♦M to maintain such consistency with the concrete world, they have to be based on some (structural) abstract description of the concrete transitions in the abstract model. For example, GTSs and their variants are such classes. Theorem 3.7 . Let MA ,MA be two abstract models for MC (from possibly different 3-valued classes) basedon an abstraction

1322

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333 M

(SA ,γ ). If MA is precise w.r.t. (SA ,γ ) and the class of MA is structural, then for every sa ∈ SA and every ϕ ∈ Lμ : [[ϕ]]3 A (sa ) =⊥ / ⇒ MA

M

[[ϕ]]3 A (sa ) = [[ϕ]]3 (sa ). Proof. Let MA be some abstract model as described in the theorem, and MA a precise model w.r.t. (SA ,γ ). We prove that M

M

for every sa ∈ SA , if [[ϕ]]3 A (sa ) = tt, then [[ϕ]]3 A (sa ) = tt. The proof for falsification is implied since the 3-valued semantics ensures that

M [[ϕ]]3 A (sa )

= ff iff

M [[¬ϕ]]3 A (sa )

= tt and similarly for MA , where ¬ϕ stands for the formula resulting by pushing M

M

the negation to the literals as in the proof of Theorem 3.5. More specifically, we prove that if sa ∈ [[ϕ]]ttA , then sa ∈ [[ϕ]]ttA . As in the proof of Theorem 3.5, we refer to (closed) fixpoint-free formulas. This is justified by the property that the abstract set of states SA of both models is finite (see the proof of Theorem 3.5 for further details). The proof is by induction on the structure of fixpoint-free μ-calculus formulas. As before, we present the interesting cases where ϕ = l ∈ Lit, ψ, or ♦ψ. The M  ,ρ

remaining cases are immediate as both [[ϕ]]ttA

M ,ρ

and [[ϕ]]ttA

are defined with the generic 3-valued semantics.

MA

• For ϕ = l ∈ Lit, if sa ∈ [[l]]tt , then by the preservation guarantee of MA , we conclude that ∀sc ∈ γ (sa ), sc ∈ [[l]]MC (i.e., M

[[l]]MC (sc ) = tt), thus sa fulfills l. Since MA is precise w.r.t. (SA ,γ ), we conclude that sa ∈ [[l]]ttA . M

M

M

• Suppose ϕ = ψ, and sa ∈ [[ψ]]ttA . Let UA = [[ψ]]ttA . To show that sa ∈ [[ψ]]ttA , we need to show that sa ∈  MA

MA

sa ∈ [[ψ]]tt , then by the 3-valued semantics, sa ∈  M

MA

MA

MA

(UA ). Since

M

([[ψ]]tt ). By the induction hypothesis, [[ψ]]tt ⊆ [[ψ]]ttA = UA . Thus,

M

M

M

M

by monotonicity of  A w.r.t. ⊆, we conclude that  A ([[ψ]]ttA ) ⊆  A (UA ), thus sa ∈  A (UA ). Since MA belongs to a structural class, this ensures us that for every sc ∈ γ (sa ) all the concrete successors of sc are in γ (UA ), and thus belong M M to [[UA ]]MC . Thus ∀sc ∈ γ (sa ) : sc ∈ [[UA ]] C (i.e., [[UA ]] C (sc ) = tt). Thus by definition sa fulfills UA . Since MA is precise MA M w.r.t. (SA ,γ ) and UA = [[ψ]]tt is definable by Lμ in MA , this ensures that sa ∈ [[UA ]]ttA . Thus by the 3-valued semantics sa ∈ 

MA

(UA ) = 

MA

M

M

([[ψ]]ttA ), and sa ∈ [[ψ]]ttA . The proof for ϕ = ♦ψ is similar.



3.2. Precision of GTSs Equipped with formal definitions of precision, we go back to our questions about the precision of GTSs. We first observe that if the abstraction partitions the concrete states, then the answer to both questions is “yes”: Theorem 3.8. If the abstraction (SA ,γ ) partitions the concrete states, i.e. for each sa ,sa ∈ SA : γ (sa ) ∩ γ (sa ) = ∅, then the exact GTS from Section 2 is precise w.r.t. (SA ,γ ). Proof. Let MA denote the exact GTS from Section 2. • Suppose that sa ∈ SA fulfills l ∈ Lit. This means that ∀sc ∈ γ (sa ) : [[l]]MC (sc ) = tt (i.e., sc ∈ [[l]]MC ), and by the concrete semantics this implies that ∀sc ∈ γ (sa ) : l ∈ LC (sc ). Therefore by the construction of the exact GTS, l ∈ LA (sa ) and hence M sa ∈ {s | l ∈ LA (s)} = lMA = [[l]]ttA . • Suppose that sa ∈ SA fulfills ϕ = UA (for some UA which is definable by Lμ in MA ). Thus, ∀sc ∈ γ (sa ) : [[UA ]]

MC

(sc ) = tt

(i.e., sc ∈ [[UA ]] ). This means that ∀sc ∈ γ (sa ) ∀sc , if sc Rsc then sc ∈ [[UA ]] . In other words, ∀sc ∈ γ (sa ) ∀sc , if sc Rsc then sc ∈ γ (UA ) (1). Now, consider an outgoing may transition of sa to some sa in MA . It was computed based on the ∃∃ condition, meaning that ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc . By (1), this also ensures that sc ∈ γ (UA ). Thus there exists sa ∈ UA such that sc ∈ γ (sa ). Since we have a partition, it implies that sa = sa (since also sc ∈ γ (sa )). Thus sa ∈ UA and as such M M M M sa ∈ [[UA ]]ttA . As this is true for every outgoing may transition of sa , we conclude that sa ∈  A ([[UA ]]ttA ) = [[UA ]]ttA . MC

MC

• Suppose that sa ∈ SA fulfills ϕ = ♦UA (for some UA which is definable by Lμ in MA ). Thus, ∀sc ∈ γ (sa ) : [[♦UA ]]MC (sc ) = tt (i.e., sc ∈ [[♦UA ]]MC ). This means that ∀sc ∈ γ (sa ) ∃sc such that sc Rsc and sc ∈ [[UA ]]MC , i.e., sc ∈ γ (UA ). In other words, ∀sc ∈ γ (sa ) ∃sc ∈ γ (UA ) such that sc Rsc . Thus, by the construction there exists a must hyper transition in MA from sa to UA , M M M where all the states belong to [[UA ]]ttA (by definition). Thus sa ∈ ♦MA (UA ) = ♦MA ([[UA ]]ttA ) = [[♦UA ]]ttA . 

However, in many cases it might be desirable to gather the concrete states into non-disjoint sets, as this can reduce the size of the abstract state space that enables verification or falsification of the desired property. In this case, the exact GTS is not necessarily precise (e.g. Example 1.1). Still, if the abstraction satisfies the existence of a best approximation assumption [13], then a precise abstract model in the form of a GTS can be constructed by an optimized version of the exact HTS. This is the case, for example, when the abstraction (SA ,γ ) is a part of a Galois connection. In our terminology, an abstraction (SA ,γ ) satisfies the existence of a best approximation assumption if for every sc ∈ SC there exists sa ∈ SA such that sc ∈ γ (sa ) and for every sa ∈ SA , if sc ∈ γ (sa ) then γ (sa ) ⊆ γ (sa ). sa is called the best approximation of

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1323

sc . For such an abstraction, the construction of the may transitions of the exact GTS can be optimized, following [7], resulting in the optimal GTS. The may transitions of the optimal GTS are computed by the following optimized [∃∃] rule: sa R− sa ⇐⇒ ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc and sa is the best approximation of sc Namely, may transitions whose target state is not the best approximation of the target of any corresponding concrete transition are removed. Note that the optimized rule is only well defined if the existence of a best approximation assumption holds. This optimization maintains the property that if sc ∈ γ (sa ), then (MC ,sc )  (MA ,sa ). As before, the generalized mixed simulation H ⊆ SC × SA is induced by γ as follows: (sc ,sa ) ∈ H iff sc ∈ γ (sa ). Theorem 3.9. If the abstraction (SA ,γ ) satisfies the existence of a best approximation assumption, then the optimal GTS defined above is precise w.r.t. (SA ,γ ). Proof. Let MA denote the optimal GTS defined above. We first note that the optimal GTS has the property that if γ (sa ) ⊆ γ (sa ) M M M M then whenever sa ∈ [[ψ]]ttA (resp., sa ∈ [[ψ]] A ) for some ψ ∈ Lμ , then sa ∈ [[ψ]]ttA (resp., sa ∈ [[ψ]] A ) as well. This follows by ff ff induction on the structure of μ-calculus formulas, based on the construction of the optimal GTS, and on the definitions of M lMA ,  A and ♦MA in a GTS. The main point in the proof is that for such sa and sa in the optimal GTS, (1) if sa is labeled l ∈ Lit, so is sa , meaning that if sa ∈ lMA , then sa ∈ lMA as well, (2) the set of outgoing may transitions of sa is a superset of the set of M M outgoing may transitions of sa , meaning that if sa ∈  A (UA ), then sa ∈  A (UA ) as well, and (3) the set of outgoing must  hyper transitions of sa is a subset of the set of outgoing must hyper transitions of sa , meaning that if sa ∈ ♦MA (UA ), then sa ∈ ♦MA (UA ) as well. We now return to the proof of the theorem. The cases where sa ∈ SA fulfills l ∈ Lit or ♦UA are exactly as in the proof of Theorem 3.8 (note that the proof of these cases did not rely on the fact that we had a partition of the concrete states). We refer to the remaining case, which is different. • Suppose that sa ∈ SA fulfills ϕ = UA for some UA which is definable by Lμ in MA . Thus, ∀sc ∈ γ (sa ) : [[UA ]]

MC (sc ) = tt  γ (sa ) ∀sc , if sc Rsc then

(i.e., sc ∈ [[UA ]] ). This means that ∀sc ∈ ∈ [[UA ]] . In other words, ∀sc ∈ sc ∈ γ (UA ) (1). Now, consider an outgoing may transition of sa to some sa in MA . It was computed based on the optimized ∃∃ condition, meaning that ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc and sa is the best approximation of sc . By (1), this also ensures that sc ∈ γ (UA ). Thus there exists sa ∈ UA such that sc ∈ γ (sa ). Recall that sa is the best approximation of sc , which ensures M M that γ (sa ) ⊆ γ (sa ). Moreover, recall that UA is definable by Lμ in MA , i.e., UA = [[ψ]]ttA or UA = [[ψ]] A for some ψ ∈ Lμ . ff M Thus, by the previous property of the optimal GTS, we have that sa ∈ UA as well. As such, sa ∈ [[UA ]]ttA . As this is true for MC

γ (sa ) ∀sc , if sc Rsc

then sc

every outgoing may transition of sa , we conclude that sa ∈ 

MA

MC

M

M

([[UA ]]ttA ) = [[UA ]]ttA .



In the next section, however, we show that in the most general setting, when no restriction is imposed on the abstraction, the answer to both questions is “no”. 3.3. May transitions as a source of imprecision As demonstrated by Example 1.1, when the given abstract states do not represent disjoint sets of concrete states, and do not satisfy the existence of a best approximation assumption (in this example, the state sc does not have a best approximation since it is abstracted by both s1a and s2a which are incomparable), the may transitions can become a source of imprecision. In this example, there is no abstract GTS for MC over SA that will enable verification of both p and q in sa . This is while the abstraction does enable verification of both p and q in sa (see Definition 3.4). Thus, none of the possible GTSs is precise w.r.t. the given abstraction. Theorem 3.10. GTSs do not always suffice for the construction of a precise abstract model w.r.t. a given abstraction. We emphasize that this imprecision is not limited to a certain construction. Indeed, the construction of the exact GTS from Section 2 is simplistic, as it might introduce redundancy in the may transitions (for example, in Example 1.1 both may transitions would be included). Yet, Theorem 3.10 holds even for optimized constructions that avoid redundant may transitions (e.g. in the style of [7]). It can be shown that the imprecision results from the may transitions and not from the other components of the GTS. This is because whenever the abstraction enables verification of l ∈ Lit or ♦UA , so does the exact GTS, which implies that the labeling and the must hyper transitions (used for verification of such formulas) are precise enough. More than that, analyzing Example 1.1 shows that the imprecision arises when there is no “best” choice of may transitions. Basically, in order to obtain a generalized mixed simulation relation between sc and sa , the abstract model has to over approximate each concrete transition sc Rsc by at least one may transition leaving sa . When the abstraction forms a partition of the concrete states, there is exactly one possibility to over approximate each such transition since sc is abstracted by exactly one abstract state sa . Therefore, the exact GTS is precise in this case (see Theorem 3.8). When the abstraction does not form

1324

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

a partition, we might have several candidates to over approximate each concrete transition. Still, if the abstraction satisfies the existence of a best approximation assumption, then for each concrete transition there is a best overapproximation (may transition), namely, the one where the target state is the best approximation of sc . This results in the optimal GTS, which is precise in this case (see Theorem 3.9). However, when the existence of a best approximation assumption is eliminated as well, there might not be a best choice of may transitions (see also [13]), in which case one needs to consider all of their (incomparable) possibilities to achieve maximal precision. Unfortunately, a GTS does not enable to do that. We therefore suggest to model the may transitions as hyper transitions as well, with the meaning that each may hyper transition (sa ,Aa ) ∈ SA × 2SA provides some over approximation of all the outgoing transitions of the concrete states represented by sa . 3.4. Hyper Kripke modal transition systems This brings us to the new class of abstract models that we suggest to be used in order to obtain maximal precision. Definition 3.11. A hyper Kripke modal transition system (HTS) is a tuple M = (S,R+ ,R− ,L), where S,L,R+ are defined as before, and R− ⊆ S × 2S (not necessarily total). 3-Valued semantics for HTSs. To adapt the 3-valued semantics of Lμ for HTSs we redefine  . The definitions of lM and M

♦M are the same as for GTSs. For every U ⊆ S:  (U) = {s | ∃A ⊆ S s.t. sR− A and ∀t ∈ A : t ∈ U}. This changes the definition for ψ in a consistent HTS to: ⎧ tt if ∃A ⊆ S s.t. sR− A and ⎪ ⎪ ⎪ ⎪ ∀t ∈ A : [[ψ]]M ⎨ 3 (t) = tt M [[ψ]]3 (s) = ff if ∃A ⊆ S s.t. sR+ A and ⎪ ⎪ ⎪ ∀t ∈ A : [[ψ]]M ⎪ 3 (t) = ff ⎩ ⊥ otherwise M

and dually for [[♦ψ]]M 3 (s) when exchanging tt with ff. Thus, in order to evaluate a ψ formula to tt, instead of requiring that all the may transitions of s are to states that satisfy ψ, we now require that there exists a may hyper transition of s such that all the states within the target set satisfy ψ. This is justified by the fact that in an abstract HTS, each may hyper transition of s (as opposed to all the may transitions of s together in an abstract GTS) will over approximate all the concrete transitions leaving the concrete states represented by s. Note that an HTS might be inconsistent. For example, a state s of an HTS M might have both a may hyper-transition to M M M     [[l]]M tt = {s | l ∈ L(s )} and a must hyper-transition to [[l]]ff = {s | ¬l ∈ L(s )}. This means that s ∈ [[l]]tt ∩ [[l]]ff . Yet, we are interested in abstract HTSs, which are always consistent. A GTS, and thus also a Kripke structure, can be viewed as a HTS, where every state has exactly one outgoing may hyper transition, whose target set consists of the target states of all of its (ordinary) may transitions. This encoding preserves the logical semantics of the models. Preservation of Lμ between HTSs (and in particular between an HTS and a Kripke structure) is then guaranteed by the following relation. Definition 3.12 (Hyper mixed simulation). Let M1 = (S1 ,R1+ ,R1− ,L1 ) and M2 = (S2 ,R2+ ,R2− ,L2 ) be two HTSs. H ⊆ S1 × S2 is a hyper mixed simulation from M1 to M2 if (s1 ,s2 ) ∈ H implies the requirements of Definition 2.4, except that requirement 2 is replaced by: 2. if s2 R2− A2 , then there is some A1 ⊆ S1 s.t. s1 R1− A1 and (A1 ,A2 ) ∈ H ∀∃ , where as before: (A1 ,A2 ) ∈ H ∀∃ ⇔ ∀s1 ∈ A1 ∃s2 ∈ A2 : (s1 ,s2 ) ∈ H. If there is a hyper mixed simulation H such that (s1 ,s2 ) ∈ H, we write (M1 ,s1 )  (M2 ,s2 ). Instead of requiring that for each may transition of M1 , there exists a corresponding may transition in M2 such that the target states satisfy (s1 ,s2 ) ∈ H, i.e., s2 over approximates s1 , we now require that for each may hyper transition of M2 there exists a corresponding may hyper transition in M1 (note that the indices are swapped), such that the target sets satisfy (A1 ,A2 ) ∈ H, i.e., A2 over approximates A1 . Intuitively, there can be less may hyper transitions in M2 but each one has to over approximate some hyper transition in M1 . Thus, if some may hyper transition was used to verify ψ in M2 , then the may hyper transition that it over approximates can be used to verify it in M1 . Note that a may hyper transition of M1 that has no representation in M2 can only cause formulas with a definite value in M1 to be indefinite in M2 and not vice versa. M

Theorem 3.13. For HTSs M1 and M2 with states s1 and s2 ,resp., if (M1 ,s1 )  (M2 ,s2 ) then for every ϕ ∈ Lμ : s2 ∈ [[ϕ]]tt2 ⇒ s1 ∈ M1

[[ϕ]]tt , and s2 ∈ [[ϕ]]

M2

ff

⇒ s1 ∈ [[ϕ]]

M1

ff

.

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1325

Proof. The proof is obtained by induction on the structure of μ-calculus formulas, similarly to the proof of Theorem 2.5. The only changes occur in cases where the semantics was changed, i.e., where may hyper transitions are used instead of (ordinary) may transitions. • Suppose s2 ∈ [[ψ]]tt2 . Then by the definition of the semantics there exists a may hyper transition from s2 to A2 M ,ρ

M ,ρ

such that for each s2 ∈ A2 : s2 ∈ [[ψ]]tt2 . Moreover, since (s1 ,s2 ) ∈ H, we know that there exists A1 such that s1 has a may hyper transition to A1 and (A1 ,A2 ) ∈ H ∀∃ , meaning that ∀s1 ∈ A1 ∃s2 ∈ A2 : (s1 ,s2 ) ∈ H. Let s1 be such a state in M ,ρ

A1 and s2 the corresponding state from A2 . Since s2 ∈ A2 , we know that s2 ∈ [[ψ]]tt2 . By the induction hypothesis, this implies that s1 ∈ [[ψ]]tt1 . That is, ∀s1 ∈ A1 : s1 ∈ [[ψ]]tt1 . Thus s1 ∈ [[ψ]]tt1 . The treatment of the case where s2 ∈ [[♦ψ]] M ,ρ

is dual.

M ,ρ



M ,ρ

M2 ,ρ

ff

Construction of an abstract HTS. Let MC = (SC ,R,LC ) be a (concrete) Kripke structure. Given an abstraction (SA ,γ ) for it, an abstract model in the form of a HTS MA = (SA ,R+ ,R− ,LA ), can be constructed as a GTS (see Section 2) with the exception that R− now consists of hyper transitions, constructed as follows. A may hyper transition sa R− Aa exists only if an [∀∀∃] condition holds: ∀sc ∈ γ (sa ) ∀sc [ sc Rsc ⇒ ∃sa ∈ Aa s.t. sc ∈ γ (sa ) ] That is, every outgoing may hyper transition of sa over approximates all the concrete transitions of the states represented by sa . In other words, each of the target sets of the outgoing may hyper transitions of sa over approximates all the targets of the concrete transitions leaving the concrete states represented by sa . An example of a “legal” may hyper transition that satisfies the ∀∀∃ condition is (sa ,Aa ) for every sa ∈ SA and Aa = {sa | ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc }. Note that the “only if” allows to include less hyper transitions than allowed by the rule. The following theorem formalizes the correctness of the construction. Theorem 3.14. Let MC be a concrete Kripke structure over SC , and let MA be an HTS computed as described above based on an abstraction (SA ,γ ) for SC . Then whenever sc ∈ γ (sa ) then (MC ,sc )  (MA ,sa ). Proof. We show that H ⊆ SC × SA defined by (sc ,sa ) ∈ H iff sc ∈ γ (sa ) is a hyper mixed simulation. Let sc ∈ γ (sa ). Requirements 1 and 3 regarding the labeling and the must hyper transitions are fulfilled as in a GTS. We now refer to requirement 2. When viewing a Kripke structure as a HTS, every state sc ∈ SC has exactly one outgoing may hyper transition sc R− Ac where Ac consists of all the destination states of the ordinary transitions of sc , i.e., Ac = {sc : sc Rsc }. Now, let Aa ⊆ SA be such that sa R− Aa . Since sc R− Ac is the only may hyper transition of sc in MC , we need to show that (Ac ,Aa ) ∈ H ∀∃ . Since sa R− Aa , this means (by the construction) that ∀sc ∈ γ (sa ) ∀sc [ sc Rsc ⇒ ∃sa ∈ Aa s.t. sc ∈ γ (sa ) ]. In particular, for our sc , we have that ∀sc [ sc Rsc ⇒ ∃sa ∈ Aa s.t. sc ∈ γ (sa ) ], and in particular, ∀sc ∈ Ac ∃sa ∈ Aa s.t. sc ∈ γ (sa ). This is because by the definition of Ac , every sc ∈ Ac is a successor of sc , i.e., sc Rsc holds for it. sc ∈ γ (sa ) implies that (sc ,sa ) ∈ H. Thus, (Ac ,Aa ) ∈ H ∀∃ .  For example, to verify p and q in Example 1.1, we include (sa ,{s1a }) and (sa ,{s2a }) as may hyper transitions. Note that both of these hyper transitions satisfy the ∀∀∃ condition, which ensures that each of them over approximates all the concrete transitions of the concrete state represented by sa (in this case there is only one such concrete transition). In addition, the labeling function defines LA (s1a ) = {p}, and LA (s2a ) = {q}. Now, the may hyper transition (sa ,{s1a }) enables to verify p. Similarly, the may hyper transition (sa ,{s2a }) enables to verify q. Thus, p ∧ q is verified. Exact HTS. If the “only if” in the definition of may hyper transitions is replaced by “iff”, the may hyper transitions are exact. If all components are exact, we get the exact HTS. Theorem 3.15. Let MC be a Kripke structure and MAE the exact HTS computed as described above based on an abstraction (SA ,γ ). Then MAE is precise w.r.t. (SA ,γ ). Proof. The cases where sa ∈ SA fulfills l ∈ Lit or ♦UA are exactly as in the proof of theorem 3.8 (note that the proof of these cases did not rely on the fact that we had a partition of the concrete states). We refer to the remaining case, which is different. • Suppose that sa ∈ SA fulfills ϕ = UA (for some UA which is definable by Lμ in MA ). This means that ∀sc ∈ γ (sa ) :

[[UA ]] C (sc ) = tt (i.e., sc ∈ [[UA ]] C ). In other words, ∀sc ∈ γ (sa ) ∀sc , if sc Rsc then sc ∈ [[UA ]]MC , or equivalently ∀sc ∈ γ (sa ) ∀sc , if sc Rsc then sc ∈ γ (UA ), meaning that, ∀sc ∈ γ (sa ) ∀sc [ sc Rsc ⇒ ∃sa ∈ Ua s.t. sc ∈ γ (sa ) ]. Thus, by the construction of the exact HTS there exists a may hyper transition in MA from sa to UA . In addition, all the (abstract) states in UA belong M M M M M to [[UA ]]ttA (by definition), thus by the 3-valued semantics over HTS sa ∈  A (UA ) =  A ([[UA ]]ttA ) = [[UA ]]ttA .  M

M

Optimization. As suggested in [11,10] for must hyper transitions, a HTS can be reduced without damaging its precision by discarding may and must hyper-transitions (sa ,Aa ) that are not minimal, meaning that there is another hyper transition (sa ,Aa ) of the same type where Aa ⊂ Aa . In particular, Theorem 3.15 still holds after this optimization is applied.

1326

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

For example, in the exact HTS constructed for Example 1.1, R− (and also R+ ) includes in addition to the hyper transitions (sa ,{s1a }) and (sa ,{s2a }), the hyper transition (sa ,{s1a ,s2a }), which is not minimal. The latter may hyper transition indicates that the set {s1a ,s2a } over approximates all the targets of the concrete transitions leaving the concrete state represented by sa (in this example the only concrete target is the state sc ). However, the may hyper transitions (sa ,{s1a }) and (sa ,{s2a }) represent tighter overapproximations of sc . Thus the same precision is achieved when the may hyper transition (sa ,{s1a ,s2a }) is omitted. In particular, the overapproximation provided by the may hyper transition (sa ,{s1a ,s2a }) does not help in the verification of p, nor does it help in the verification of q. This is because for a may hyper transition to witness that ψ holds in an abstract state, all of the target states of the hyper transition must satisfy ψ, which is not the case for s1a and s2a w.r.t. neither p nor q. The same reasoning applies to other non-minimal hyper transitions which are included in R− and R+ , leaving us with R+ = R− = {(sa ,{s1a }),(sa ,{s2a })}. Note that in a HTS, both the 3-valued semantics and the preservation relation (hyper mixed simulation) treat may and must hyper-transitions in the same way, rather than dually. Still, may hyper-transitions and must hyper-transitions have different roles in an abstract model: the first provides an overapproximation of the concrete transitions, and the latter provides an underapproximation for them. This difference is captured by the fact that when viewing a Kripke structure as a HTS, the may and must hyper-transitions are defined differently. Namely, each concrete transition is considered a must hyper-transition, whereas all the concrete transitions together form a single may hyper-transition. As such, the may and must hyper-transitions of an abstract HTS, which is related to the concrete Kripke structure by a hyper mixed simulation, are each required to satisfy different rules w.r.t. the concrete transitions. This is demonstrated by the construction of an abstract HTS, where the may and must hyper-transitions are defined differently. 3.5. Discussion: precision versus completeness Our definition of precision should not be confused with the notion of completeness in abstract interpretation. Completeness in abstract interpretation [26,27] means that no additional loss of information is accumulated when computing the semantics in the abstract model over the abstract states. The standard notion of completeness requires M that [[ψ]]ttA = α([[ψ]]MC ), where α denotes an abstraction function (or relation) that maps each set of concrete states to an abstract state that represents it. This means that the result of computing the abstract semantics over the abstract states coincides with the result of computing the concrete semantics over the concrete states and then applying abstraction on the result.2 It is shown in [29] that completeness in abstract interpretation is equivalent to a variant of strong preservation, called best preservation. Strong preservation in model checking means that the same formulas can be verified on the concrete model and on the abstract model. The notion of strong preservation is generalized in [30,31,29] to abstract interpretation-based models and related to completeness. Specifically, completeness is shown to be equivalent to best preservation, which requires that M sa ∈ [[ψ]]ttA iff γ (sa ) ⊆ [[ψ]]MC . This means that whenever all of the concrete states represented by an abstract state sa satisfy ψ, then the abstract semantics enables to verify ψ in sa . Although our definition of precision w.r.t. l ∈ Lit, UA and ♦UA (see Definition 3.3) resembles the notion of completeness (or best preservation), the precision of a precise abstract model guaranteed by our definition is rather different. In particular, M our definition of precision does not ensure that sa ∈ [[ψ]]ttA whenever all of the concrete states represented by sa satisfy ψ. M

Instead, only if sa enables verification of ψ do we ensure that sa ∈ [[ψ]]ttA . Enabling verification is a stronger property that takes into account the inductiveness of the semantics. For example, even when using the exact HTS, which is precise, we are unable to verify (p ∧ q) using the given abstraction in Example 1.1, since sa does not enable verification of (p ∧ q) (see Definition 3.4), i.e., the abstraction itself is not precise enough. Intuitively, this results from the fact that there is no abstract state that represents the concrete states that satisfy both p and q in this example: in fact, there is only one such concrete state, sc , in this example, but every abstract state that represents it also represents additional concrete states that do not satisfy either p or q. Thus, there is no abstract state that enables verification of p ∧ q. Once precision is lost w.r.t. p ∧ q, the inductive semantics is unable to recover this information and verify (p ∧ q). Note, however, that in order to obtain completeness, or equivalently best preservation, sa should satisfy (p ∧ q), since the only concrete state represented by sa satisfies (p ∧ q). The fact that we do not obtain completeness (or strong preservation) by our precision definition is not surprising. When using an inductive definition of the semantics, as we do in this paper, completeness w.r.t. the semantics requires pointwise completeness, which means completeness w.r.t. each of the operators. As shown in [27,28], the ability to obtain pointwise completeness is a property of the abstraction (i.e., the abstract states). Intuitively, it requires that the abstraction enables to express not only the property we aim to verify, but also the intermediate properties that lead to it (such as p ∧ q in the above example), as captured by our definition of “enabling verification”. However, our precision does not require anything of the abstraction. In particular, we do not require that the abstraction enables to verify any property. We simply refer to the precision of an abstract model w.r.t. the given abstraction (SA ,γ ). We wish to make the most of the given abstraction, in M

2 Ref. [28] also defines a second form of completeness, called forward completeness, which requires that γ ([[ψ]] A ) = [[ψ]]MC . This notion of completeness tt differs from our notion of precision as well by similar arguments (although the two notions of completeness do not coincide).

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1327

Fig. 2. Rules for product graph construction.

contrast to, e.g. applying completion methods on the abstraction in order to make the abstraction itself more precise (or complete). 4. Decreasing the model checking cost Using the exact HTS as an abstract model ensures maximal precision. Yet, it involves an exponential blowup (even with the suggested optimization). In this section, we suggest an efficient model checking for the alternation-free μ-calculus, which remains quadratic in the number of abstract states, and yet produces a result which is as precise as possible with respect to a specific property. From now on, we restrict the discussion to the alternation free fragment of the μ-calculus. Let MC be a concrete Kripke structure and ϕ ∈ L0μ a formula that we wish to check in some state sc of MC . Moreover, suppose that we are given a (finite) abstraction (SA ,γ ). All the abstract states that represent sc are candidates to enable verification or falsification of ϕ in sc . We therefore refer to them as designated states. Our purpose is to evaluate ϕ in all these designated abstract states in the exact HTS MAE . Our algorithm is based on a generalization of the game-based model checking suggested in [32] for CTL over abstract models with ordinary may and must transitions. We omit the details of the game, but continue with the game-graph, to which we refer as the product graph. Product graph. The product graph presents all the information “relevant” for the model checking: Every node in the graph is labeled by sa  ψ, where sa is an abstract state and ψ is a subformula of ϕ, indicating that the value of ψ in sa is relevant for determining the model checking result. The outgoing edges of a node sa  ψ can be seen as defining “subgoals” for the goal of checking ψ in sa . Formally, let ϕ ∈ L0μ be a formula, SA a set of states, Sd ⊆ SA a set of designated states in which we want to evaluate ϕ, and  R is meant to provide a basic description of the possible transitions between states (we R ⊆ SA × SA a total transition relation.  will soon see how it is obtained). The product graph GS , , or in short G, is a graph (N,E) with a set of nodes N ⊆ SA × Sub(ϕ) d R,ϕ and a set of edges E ⊆ N × N, defined as follows. The initial nodes N0 ⊆ N consist of Sd × {ϕ}. The (rest of the) nodes and the edges are defined by the rules of Fig. 2, with the meaning that whenever n ∈ N is of the form of the upper part of the rule, then the result in the lower part of the rule is also a node n ∈ N and (n,n ) ∈ E. The nodes of G are classified as ∧, ∨, , ♦ nodes, based on their subformuals. Nodes whose subformula is a literal, true or false are terminal nodes (they have no outgoing edges). Nodes whose subformulas are of the form Z or ηZ.ψ are deterministic—they have exactly one son. Each strongly connected component (SCC) in G which is non-trivial, i.e., has at least one edge, contains exactly one free fixpoint variable Z ∈ V , called a witness. If fp(Z) = μZ.ψ, then Z is a μ-witness. Otherwise it is a ν-witness. Coloring algorithm. To determine the model checking result, a coloring algorithm is applied on the product graph with the purpose of labeling each node n = sa  ψ in it by T , F, ? depending on the value of ψ in the state sa in MAE , based on the 3-valued semantics. The coloring algorithm of [32] processes the product graph bottom-up by iterating two phases: In the sons-coloring phase, a node is colored based on the colors of its sons by rules which reflect the 3-valued semantics of the logic. In the witness-coloring phase a special procedure is applied to handle cycles (non trivial SCCs) in the graph. The witness-coloring phase analyzes nodes that remained uncolored after iterating the rules of the sons-coloring phase. Such nodes are necessarily a part of a non-trivial SCC which has a witness. Depending on the witness, one of the definite colors (T or F) is ruled out for the remaining uncolored nodes, yet another phase is needed to decide between ? and the remaining definite color. For example, a μ-witness rules out the T -color, as infinite paths cannot contribute to satisfaction of a μ (least fixpoint) formula. Thus, for an uncolored node n in such an SCC it remains to be checked if the condition for coloring n by F, which depends on n’s type, can still hold for it, and if not color it ?. This is done similarly to the sons-coloring phase, except that the rules are now aimed at checking that n has no potential to be colored F. The remaining nodes are colored F. As for our algorithm, for the sake of the explanation, suppose first that we construct the product graph based on MAE (of course, eventually the point will be to avoid the construction of MAE ).  R will thensimply be the set  RE = {(sa ,sa ) | sa ∈

1328

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

Aa and (sa R− Aa or sa R+ Aa )}, where R− and R+ are the transition relations of MAE . That is,  RE contains all the (ordinary) E transitions that participate in some hyper-transition in MA . In this case, we also define may and must hyper-sons in G: if n = s  ⽦ψ ∈ N for ⽦ ∈ {,♦} and sR− A (sR+ A), then B = A × {ψ} ⊆ N is a may (must) hyper-son of n. The coloring can be extended to handle hyper sons in the same way that the 3-valued semantics is extended to handle hyper transitions. For example, a -node will be colored by F iff it has a must hyper-son whose nodes are all colored by F. It will be colored by T iff it has a may hyper-son whose nodes are all colored by T . Otherwise it will be colored ?. Dually for a ♦-node. Thus, the coloring algorithm can be seen, in a sense, as exhaustively trying to find the justification for coloring each node. Yet, instead of considering all the hyper sons and checking if any of them justifies coloring the node, we suggest to use the information gathered so far in the bottom-up coloring to perform this check wisely. For example, to color a -node n by F, it suffices to check, whenever some son of n gets colored by F, if all of n’s currently F-colored sons comprise a must hyper-son (i.e., their underlying states fulfill the ∀∃∃ rule). This is because must hyper-sons whose nodes are not all colored F will not justify coloring n by F, and thus need not be checked. Moreover, if some subset of the F-colored sons of n comprises a must hyper-son, then so does the full set. Similarly, to conclude that n should not be colored F (as is done in the witness-coloring phase), it suffices to check that n’s currently F-colored sons along with the uncolored sons (if exist) do not form a must hyper-son. If they do not, then the same holds for any of their subsets, and clearly other sets of nodes cannot form a must hyper-son whose nodes are all colored F. This means that n has no potential to have a must hyper-son whose nodes are all colored by F, and it is safe to conclude that it cannot be colored F. Thus, checking these candidates is as informative as checking all of the possible must hyper sons. Similar reasoning applies to may hyper sons. This leads us to the following algorithm, where MAE is not constructed in advance. 4.1. Optimized abstract model checking Let MC be a concrete model, sc ∈ SC a concrete state, ϕ ∈ L0μ a formula that we wish to check in sc , and (SA ,γ ) an abstraction. The algorithm is as follows.  A = (SA , Product graph construction. Construct a partial HTS M R,LA ), where LA is defined as in the exact HTS, and  R ⊆ SA × SA is defined by  R = {(sa ,sa ) | ∃sc ∈ γ (sa ) ∃sc ∈ γ (sa ) s.t. sc Rsc }. This ensures that  R ⊇ RE . Construct the product graph GS , based d R,ϕ R as above, and S = {sa | sc ∈ γ (sa )}. on ϕ, SA ,  d

Partition. GS , is partitioned into maximal strongly connected components (MSCCs), denoted Qi ’s, and a (total) order d R,ϕ  is determined on them, s.t. for every n ∈ Qi and n ∈ Qj , (n,n ) ∈ E only if Qj  Qi . Such an order exists because the MSCCs form a directed acyclic graph. Coloring. The following two phases are performed repeatedly until all nodes are colored. (1) Sons-coloring phase. Apply the following rules until none is applicable. • A terminal node sa  true (sa  false) is colored T (F). • A terminal node sa  l is colored T if l ∈ LA (sa ), F if ¬l ∈ LA (sa ), and ? otherwise. • An ∧-node (∨-node) is colored by: • T (F) if both its sons are colored T (F). • F(T ) if it has a son that is colored F(T ). • ? if it has a son that is colored ? and the other is colored = / F(T ). • A deterministic node is colored as its (only) son. • A -node (♦-node) is colored by: • T (F) if its currently T(F)-colored sons form a may hyper son. • F(T ) if its currently F(T )-colored sons form a must hyper son. • ? if all of its sons are colored, yet none of the above holds. (2) Witness-coloring phase. If there are still uncolored nodes, let Qi be the smallest MSCC w.r.t.  that is not yet fully colored. Qi is necessarily a non-trivial MSCC that has exactly one witness. Its uncolored nodes are colored according to the witness. For a μ-witness: a) Repeatedly color ? each node in Qi satisfying one of the following. • An ∧-node (∨-node) that both (at least one) of its sons are colored = / F. • A deterministic node whose son is colored ?. • A -node (♦-node) whose F-colored sons along with its remaining uncolored sons do not form a must (may) hyper-son. b) Color the remaining nodes in Qi by F. The case where the witness is of type ν is dual, when exchanging F with T, ∧ with ∨, and  with ♦.

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1329

In each phase of the coloring, the rules will initially be checked once for every uncolored node, and later will only be checked when one of the sons of the node gets colored by an appropriate color. Several optimizations can be used. For example, during phase 1 it is possible to color a -node (♦-node) by ? before all of its sons are colored by checking that all of its T(F)-colored sons along with its uncolored sons do not form a may hyper son, and in addition all of its F(T )-colored sons along with its uncolored sons do not form a must hyper son. Note that if one of these conditions holds at one time then it will remain valid, thus it need not be checked again. Remark 4.1 Checking if a set B of nodes forms a may or must hyper son of a -node or a ♦-node n is performed by checking the ∀∀∃ or the ∀∃∃ condition, respectively, between the underlying states of the node n and the set of nodes B. The following theorem formalizes the correctness of the algorithm, by relating the colors of nodes in the product graph to truth values of the corresponding formulas in the corresponding states. To refer to formulas in the product graph which are not closed, we use the following notation. For a (possibly not closed) alternation free formula ϕ1 , ϕ1∗ denotes the result of replacing every free occurrence of Z ∈ V in ϕ1 by fp(Z). ϕ1∗ is always a closed formula. Theorem 4.2 Let MAE denote the exact HTS for MC w.r.t. (SA ,γ ). Let G = GS , be the product graph produced by the algorithm. d R,ϕ Then for every n = sa  ϕ1 ∈ G the following holds: ME

(1) [[ϕ1∗ ]]3 A (sa ) = tt iff n = sa  ϕ1 is colored by T . ME

(2) [[ϕ1∗ ]]3 A (sa ) = ff iff n = sa  ϕ1 is colored by F. ME

(3) [[ϕ1∗ ]]3 A (sa ) =⊥ iff n = sa  ϕ1 is colored by ?. Proof. [sketch] The proof is by induction on the run of the coloring algorithm. For any node which is colored within the sons-coloring phase the correctness follows directly from the 3-valued semantics, combined with the fact that if all the T -colored sons of a node n do not comprise a must (may) hyper-son, then n does not have a must (may) hyper son whose nodes are all colored T . Similarly for F. Thus it is sufficient to check if the selected candidates comprise hyper sons, rather than considering all the possible subsets of sons, as described before. As for nodes which are colored in the witness coloring phase, the proof consists of several steps. We demonstrate the idea of the proof for a Qi with a witness Z of type μ (the proof for the case of a ν-witness is similar). In this case nodes are either colored by ? (in phase 2a) or F (in phase 2b). The first step is thus to show that the remaining uncolored nodes in Qi at the beginning of this phase should indeed not be colored T. Let n = sa  ϕ1 be a node in Qi . We show ME

that if [[ϕ1∗ ]]3 A (sa ) = tt, i.e., n should be colored T, then n must have already been colored T in the sons-coloring phase. Thus none of the uncolored nodes should be colored T . ME

ME

Suppose that fp(Z) = μZ.ψ. Since the abstract state space is finite, there exists i such that [[μZ.ψ]]ttA = [[ψ i ]]ttA , where ψ i ME

denotes the unwinding of the fixpoint formula i times (see Section 2). Let ϕ1 and sa be such that [[ϕ1∗ ]]3 A (sa ) = tt, i.e., sa ∈ ME

ME

ME

MAE ,ρ[Z:=[[μZ.ψ]]

[[ϕ1∗ ]]ttA . By the definition of ϕ1∗ , [[ϕ1∗ ]]ttA = [[ϕ1 [Z := μZ.ψ]]]ttA = [[ϕ1 ]]tt

ME A]

ME A]

M E ,ρ[Z:=[[ψ i ]]

E

tt = [[ϕ [Z := ψ i ]]]MA . 1 tt

tt = [[ϕ ]] A 1 tt

Note that ϕ1 [Z := ψ i ] is fixpoint-free, and it does not contain any free variable. Thus, one can follow the inductive definition of the 3-valued semantics for ∧, ∨,  and ♦ and construct a finite tree over pairs of states and formulas that explains why ME

ME

sa ∈ [[ϕ1 [Z := ψ i ]]]ttA . The root of the tree is (sa ,ϕ1 [Z := ψ i ]). All the pairs (sa ,ϕ  ) in the proof tree will be such that sa ∈ [[ϕ  ]]ttA . For example, for a pair of the form (sa ,ϕ1 ∧ ϕ2 ), both (sa ,ϕ1 ) and (sa ,ϕ2 ) will be included as sons in the proof tree. For a ME

pair (sa ,ϕ  ) some set Aa × {ϕ  } such that sa R− Aa is a may hyper-transition in MAE and Aa ⊆ [[ϕ  ]]ttA will be included. The ME

property that all the pairs (sa ,ϕ  ) in the tree are such that sa ∈ [[ϕ  ]]ttA ensures that ψ 0 will not be included in the tree, as ME

ME

[[ψ 0 ]]ttA = [[false]]ttA = ∅. In addition, since no free variables or fixpoints exist in the tree, the subformulas become strictly shorter along paths of the tree. These two properties ensure that every path in the tree eventually reaches a formula that does not contain ψ j as a subformula for any j  0. These will be the leaves of the tree, which makes the tree finite (this results from the fact that we have explicitly unwound the fixpoint). We now map every formula in the proof tree back to the original formula that produced it (by replacing ψ j by Z), i.e., if ϕ  = ϕ[Z := ψ j ], then we define σ (ϕ  ) = ϕ. This defines a mapping σ˜ from the nodes of the proof tree to the nodes of the product graph: σ˜ (sa ,ϕ  ) = sa  σ (ϕ  ). Since the leaves of the proof tree do not contain formulas of the form ψ j for any j  0, we are guaranteed that all the leaves of the proof tree are mapped to nodes in the product graph that do not contain Z, thus they belong to smaller Qj ’s. This is the crucial observation as it means that these nodes were already colored by the time the witness coloring phase is applied on Qi and by the induction hypothesis their coloring is correct, i.e., they are colored T . This provides the basis for an inductive argument (on the depth of the proof tree) that shows that for every node (sa ,ϕ  ) in the proof tree, the corresponding node σ˜ (sa ,ϕ  ) in the product graph could be colored T in the sons-coloring phase. The induction step

1330

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

follows by a case analysis on the type of subformulas, and results from the relation between the 3-valued semantics and the rules of the coloring in the sons-coloring phase. Since the sons-coloring phase is iterated as long as some rule is applicable, the corresponding nodes must have been indeed already colored T . For example, consider some pair (sa ,ϕ  ) in the proof ME

tree for which the tree contains as witness the pairs Aa × {ϕ  } for some may hyper transition sa R− Aa such that Aa ⊆ [[ϕ  ]]ttA . Then first by the definition of  R, and since σ (ϕ  ) = σ (ϕ  ), all of the nodes A × {σ (ϕ  )} to which A × {ϕ  } are mapped by a

a

σ˜ are sons of the node sa  σ (ϕ  ) that corresponds to (sa ,ϕ  ) in the product graph. By the induction hypothesis, all of these sons get colored T in the sons-coloring phase. Thus, at latest when the last of them gets colored T , then the algorithm finds out that the set of currently T -colored sons of sa  σ (ϕ  ), which is a superset of Aa × {σ (ϕ  )}, is a may hyper son of sa  σ (ϕ  ) = σ˜ (sa  ϕ  ), and therefore colors it T during the sons-coloring phase. In particular, for the root of the proof tree, (sa ,ϕ1 [Z := ψ i ]), we have that σ˜ (sa ,ϕ1 [Z := ψ i ]) = sa  ϕ1 , which ensures that n = sa  ϕ1 already got colored T in the sons-coloring phase. Now, for nodes which are colored in phase 2a, a similar analysis as in the sons-coloring phase, following the 3-valued semantics, combined with the fact that if all the F-colored sons along with the uncolored sons of a node n do not comprise a must (may) hyper-son then n does not have a must (may) hyper son whose nodes are all colored F, shows that the nodes colored in phase 2a should not be colored F. Together with the previous argument saying that they should not be colored T , this ensures the correctness of their coloring by ?. To complete the proof it remains to show that the nodes sa  ϕ1 which are colored in phase 2b should indeed be colored F. Alternatively, it suffices to show that every node sa  ϕ1 that should not be colored F, i.e., [[ϕ1∗ ]]3 (sa ) = / ff, is indeed already colored by a different color (T or ?) when this phase is reached. Again, since the state space is finite, there exists i such that ME

ME

ME

ME

[[μZ.ψ]] A = [[ψ i ]] A , where ψ i denotes the unwinding of the fixpoint formula i times. In particular, [[ϕ1∗ ]] A = [[ϕ1 [Z := ψ i ]]] A . ff ff ff ff The proof again uses a construction of a proof tree, except that now this is a proof tree that explains why sa ∈ [[ϕ1 [Z := ψ i ]]] Here again the crucial observation is that ψ 0

ME cannot be part of the proof tree, since [[ψ 0 ]] A

nodes (sa ,ϕ  ) in the proof tree are such that sa ∈

ME [[ϕ  ]] A .

ff

= [[false]]

MAE

ff

MAE

ff

.

= SA , whereas all the

Thus all the leaves of the proof tree are mapped to nodes in smaller ff Qi ’s, which are already colored correctly (i.e., = / F) before phase 2b and by induction on the depth of the proof tree so are the rest of the nodes of the product graph which are mapped to internal nodes of the proof tree. For example, for a pair (sa ,ϕ  ) the proof tree contains as witness a set Aa × {ϕ  } such that Aa contains at least one state sa* such that sa* ∈ [[ϕ  ]] sa R+ A*a

MAE

ff

from

* * every must hyper transition in Thus, at latest in phase 2a, after the last of the nodes sa  σ (ϕ  ) for sa ∈ Aa gets colored = / F (this happens by the induction hypothesis), it holds that the set B of F-colored sons of sa  σ (ϕ  ) along with its uncolored sons does not form a must hyper son, since for every must hyper transition of MAE at least one target state comprises a node which belongs to Aa × {σ (ϕ  )}, and is thus colored = / F at this point, and does not belong to B. Thus, sa  σ (ϕ  ) gets

colored ?.

MAE .



Thus, for all the nodes in the product graph, the coloring is as precise as model checking with MAE , even though MAE is not constructed by the algorithm. Note that if ϕ1 is closed then ϕ1∗ = ϕ1 . Thus, for a node n = sa  ϕ1 whose formula is closed the theorem immediately implies that the color of n in G matches the truth value of ϕ1 in the state sa of MAE . In particular, this is true for N0 = Sd × {ϕ}, and by the choice of Sd , we are guaranteed that whenever the abstraction is precise enough, at least one initial node will be colored by a definite color T or F, in which case by Theorems 4.2 and 3.13, [[ϕ]]MC (sc ) = tt or ff, respectively. Note, that it is impossible that some initial node will be colored T and another will be colored F. If all the initial nodes in the product graph are colored ?, then the result is indefinite. Remark 4.3. By considering the underlying hyper transitions of hyper sons computed by the algorithm, the final product graph induces an abstract HTS for MC which is as precise as the exact HTS w.r.t. ϕ. Complexity. During all applications of the sons-coloring phase, the ∀∃∃ and the ∀∀∃ conditions are checked at most |SA | times for each node, as each node has at most |SA | sons, and between checks the set of candidates to comprise a hyper son is monotonically increasing. Similar analysis holds for phase 2a, with the difference that the sets of candidates to comprise a hyper son are monotonically decreasing. As the number of nodes in the product graph is O(|SA | × |ϕ|), the total number of checks of the ∀∃∃ and the ∀∀∃ conditions is O(|SA |2 × |ϕ|). This is the dominant part which determines the model checking complexity. Example 4.4. Consider Example 1.1, where the purpose is to verify p ∧ q in the concrete state sc , abstracted by sa (see Fig. 1). This makes sa the designated state. In this case  R = {(sa ,s1a ),(sa ,s2a )}. Thus, we obtain the product graph depicted in Fig. 3, where sa  p ∧ q is the initial node. Each node in the product graph comprises a (trivial) MSCC. Fig. 3 also determines an order on the MSCCs, as indicated by the numbering of the nodes. The nodes s1a  p, s2a  p, s1a  q and s2a  q are colored as terminal nodes in the sons-coloring phase (in some arbitrary order). Their coloring is depicted in Fig. 3. For example, s1a  p is colored T since p ∈ LA (s1a ), but s2a  p is colored ? since both p ∈ LA (s2a ) and ¬p ∈ LA (s2a ). Once s1a  p is colored T , it is

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1331

Fig. 3. A colored product graph. Grey nodes are colored ?, while white nodes are colored T.

checked if the set {s1a  p}, which consists of the currently T -colored sons of the node sa  p, forms a may hyper son of sa  p. This is checked by checking if the ∀∀∃-condition holds for sa and the set {s1a }. Since the condition holds, sa  p is colored T . Similarly, once s2a  q is colored T , it is checked if the set {s2a  q} forms a may hyper son of sa  q (by checking the ∀∀∃-condition). Since the condition holds, sa  q is colored T . Thereafter, sa  p ∧ q is colored T , and we conclude that the value of p ∧ q in sa is tt, thus sc satisfies p ∧ q. In fact, the abstract model checking has “discovered” the two may hyper transitions (sa ,{s1a }) and (sa ,{s2a }), which are the ones needed for the verification of the formula in this example.

5. Abstraction-refinement Our abstract model checking ensures maximal precision w.r.t. the given abstraction. Still, its result might be indefinite if the abstraction is not precise enough. In this case, refinement can be applied by splitting the abstract states, similarly to the refinement of [32] for models with ordinary transitions (with various optimizations that exploit the use of hyper transitions). Definition 5.1 (Split). Let SC be a set of concrete states, let SA and SA be two sets of abstract states and let γ : SA → 2SC , γ  : SA → 2SC be the corresponding concretization functions. We say that (SA ,γ  ) is a split of (SA ,γ ) iff there exists a (total) 

    function ρ : SA → SA such that for every sa ∈ SA : ρ(sa )=sa γ (sa ) = γ (sa ). If ρ(sa ) = sa then sa is a substate of sa . When refinement is introduced, monotonicity in the precision of the abstract models before and after the refinement is desirable, meaning that formulas that had a definite value before the refinement will not become indefinite after refinement [11]. This is guaranteed by the following theorem. Theorem 5.2 (Monotonicity of HTSs). Let MA and MA be exact HTSs defined based on abstractions (SA ,γ  ) and (SA ,γ ),resp., where (SA ,γ  ) is a split of (SA ,γ ). Then whenever sa ∈ SA is a substate of sa ∈ SA then (MA ,sa )  (MA ,sa ). Proof. Suppose that sa ∈ SA is a substate of sa ∈ SA . We show that (MA ,sa )  (MA ,sa ). For this purpose we show that H ⊆ SA × SA defined by (sa ,sa ) ∈ H iff ρ(sa ) = sa (i.e., sa is a substate of sa ) is a hyper mixed simulation. Let (sa ,sa ) ∈ H. We show that the three requirements hold. (1) Suppose l ∈ LA (sa ). Then by the construction scheme, ∀sc ∈ γ (sa ) : l ∈ LC (sc ). Since sa is a substate of sa , then γ  (sa ) ⊆ γ (sa ), thus in particular ∀sc ∈ γ  (sa ) : l ∈ LC (sc ) and by the construction scheme l ∈ LA (sa ). Thus LA (sa ) ⊆ LA (sa ). (2) Suppose sa RA− Aa . Then by the construction, ∀sc ∈ γ (sa ) ∀sc [ sc Rsc ⇒ ∃sa1 ∈ Aa s.t. sc ∈ γ (sa1 ) ], i.e., ∀sc ∈ γ (sa ) ∀sc [ sc Rsc ⇒    ∈ γ (A ) ]. sc ∈ γ (Aa ) ]. Since sa is a substate of sa , then γ  (sa ) ⊆ γ (sa ), thus in particular ∀sc ∈ γ  (sa ) ∀s a c [ sc Rsc ⇒ sc

     Let Aa ⊆ SA be the set consisting of all the substates of states in Aa . By definition of a split, ρ(sa )=sa γ (sa ) = γ (sa ),

meaning that γ  (Aa ) = γ (Aa ). Therefore the following holds: ∀sc ∈ γ  (sa ) ∀sc [ sc Rsc ⇒ sc ∈ γ  (Aa ) ]. This implies that  ∈ A , at least one of its superstates s  sa RA− Aa . Moreover, (Aa ,Aa ) ∈ H ∀∃ since for every sa1 a1 is in Aa (otherwise sa1 would a  ,s ) ∈ H. Thus ∀s ∈ A ∃s  ,s ) ∈ H. not be included in Aa ), and as such (sa1 ∈ A : (s a a1 a1 a1 a a1 a1 (3) Suppose sa RA+ Aa . Then by the construction, ∀sc ∈ γ (sa ) ∃sa1 ∈ Aa ∃sc ∈ γ (sa1 ) s.t. sc Rsc , i.e., ∀sc ∈ γ (sa ) ∃sc ∈ γ (Aa ) s.t. sc Rsc .      Since sa is a substate of sa , then γ (sa ) ⊆ γ (sa ), thus in particular ∀sc ∈ γ (sa ) ∃sc ∈ γ (Aa ) s.t. sc Rsc . Again, let Aa ⊆ SA be the set consisting of all the substates of states in Aa . As before γ  (Aa ) = γ (Aa ). Thus the following holds: ∀sc ∈ γ  (sa ) ∃sc ∈ γ  (Aa ) s.t. sc Rsc . This implies that sa RA+ Aa . Moreover, as before (Aa ,Aa ) ∈ H ∀∃ . 

Monotonicity implies that refinement of an exact HTS will never take us further from the (definite) result. In particular, we will not “miss” the opportunity to get a definite result only due to excess refinement. Thus, our approach, which is as precise as using the exact HTS w.r.t. the desired property, will ensure the same. Recall that the same is not guaranteed when using ordinary must transitions [11]. If the concrete model is finite, an iterative abstraction-refinement is guaranteed to terminate with a definite answer.

1332

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

6. Conclusion We have investigated the precision and model checking complexity of 3-valued abstract models that preserve the full μ-calculus. In order to evaluate precision of models, we have suggested a new definition of precision of 3-valued abstract models, which measures the precision of a model compared to the information retained in the abstract states and abstraction mapping. Namely, the abstract states define the “resolution” through which one can look at the concrete states at every point during the inductive evaluation of a property. An abstract model is precise if it enables to verify or falsify every property that the resolution of the abstract states enables to verify or falsify, respectively. Examining previously suggested abstract models using our new definition revealed that may transitions do not enable to achieve maximal precision. We have therefore suggested a new class of models that use may hyper transitions to over approximate the concrete transitions. We proposed a construction of a precise abstract model of this class. Hyper transitions make the size of the model exponential in the number of abstract states. To avoid this exponential blowup, which already existed in previously suggested models that use must hyper transitions, we have suggested a new abstract model checking algorithm for the alternation free μ-calculus, in which the hyper transitions are computed by need. As a result, the model checking complexity reduces to O(|SA |2 × |ϕ|), without compromising its precision. We believe that similar techniques can be used to develop precise abstract model checking algorithms for the full μ-calculus, with complexity comparable to model checking of ordinary transition systems. Finally, we have incorporated our abstract model checking into an abstraction-refinement algorithm, where the refinement is monotonic in terms of the precision of the models before and after refinement. Appendix A. Handling multiple initial states So far we considered the verification problem of a formula in a specific concrete state. We now extend the discussion to the case where the concrete Kripke structure MC has a set of initial states, denoted S0C , with the usual meaning, that MC satisfies ϕ, denoted MC |= ϕ, if ∀s0 ∈ S0C : [[ϕ]]MC (s0 ) = tt. Otherwise, MC falsifies ϕ, denoted MC |= ϕ. Typically, when the concrete model has a set of initial states, so does the abstract model. For example, in a GTS [11] the set of abstract initial states S0A has to be some set such that ∀∃(1) : ∀s0c ∈ S0C ∃s0a ∈ S0A s.t. s0c ∈ γ (s0a ), and ∀∃(2) : ∀s0a ∈ S0A ∃s0c ∈ S0C s.t. s0c ∈ γ (s0a ). ∀∃(1) is needed to preserve truth, as it ensures that the initial states of the abstract model represent all the concrete initial states. On the other hand, ∀∃(2) is needed to preserve falsity, as it ensures that each abstract initial state represents at least one concrete initial state. For example, in [11], S0A is built such that s0a ∈ S0A iff ∃s0c ∈ S0C s.t. s0c ∈ γ (s0a ). This construction is precise if the abstract states represent disjoint sets of concrete states. Yet, similarly to the imprecision introduced by the may transitions when the abstract states are not necessarily disjoint, the same problem occurs with respect to the initial states of an abstract model. In particular, suppose that some concrete initial state s0c is represented by two abstract states: sa in which ϕ1 is true, but ϕ2 is indefinite, and sa in which ϕ2 is true, but ϕ1 is indefinite. Then considering sa as the only initial state will enable verification of ϕ1 but not ϕ2 , and vice versa for sa . Yet, no choice of a set of initial states will enable verification of both formulas, even if s0c is the only initial state: including sa in S0A will prevent verifying ϕ2 and including sa will prevent verifying ϕ2 . This example demonstrates that sometimes different sets of initial abstract states need to be considered for different properties. Therefore, to get a precise abstract model, one needs to allow multiple sets of initial states, with the meaning that any one of them suffices to verify or falsify a property. Thus, rather than a set of initial states, the class of HTSs is extended by a set of sets of initial states S0 ⊆ 2SA , with the meaning that each of the sets in S0 is a “legal” set of initial states, i.e., it satisfies the [∀∃(1)] and [∀∃(2)] conditions. In the exact HTS MAE , S0 will consist of all the sets that satisfy these conditions. An extended HTS satisfies ϕ, denoted MA |=3 ϕ, if there exists S0A ∈ S0 where all the states satisfy ϕ. It falsifies ϕ, denoted MA |=3 ϕ, if there exists S0A ∈ S0 where at least one state falsifies ϕ. Otherwise the value of ϕ in MA is indefinite, denoted ?

MA |==3 ϕ. Provided that the sets in S0 fulfill conditions ∀∃(1) and ∀∃(2), this ensures preservation of both truth and falsity. Here again, instead of checking for each possible set of abstract states if it should be included in S0 (which requires two ∀∃ checks), and then checking if it enables verification or falsification of ϕ, one may use a similar technique as was used for the hyper transitions and choose the candidates more carefully. The idea is to apply the previous model checking algorithm by setting Sd to {sa | ∃s0c ∈ S0C s.t. s0c ∈ γ (s0a )}. This is the maximal set that fulfills condition ∀∃(2). Thus, the sets in S0 in the exact HTS are exactly all the subsets of Sd that fulfill ∀∃(1) (including Sd itself). When the coloring is over, do the following. (1) If at least one initial node n is colored F, then MC |= ϕ. This is because n = sa  ϕ for some sa ∈ Sd . Since Sd ∈ S0 this implies that MAE |=3 ϕ.

S. Shoham, O. Grumberg / Information and Computation 206 (2008) 1313–1333

1333

(2) Otherwise, let S0 T = {sa ∈ Sd | n = sa  ϕ is colored T } be the set of underlying states of the initial nodes that are colored T. If S0 T fulfills the ∀∃(1) condition, then it is a “legal” set of initial states, in which all of the states satisfy ϕ, meaning that MAE |=3 ϕ, and thus MC |= ϕ. ?

(3) If none of the above holds, then MAE |==3 ϕ, which means that the abstraction is not precise enough. The correctness of this conclusion results from the fact that if there existed a possible set of initial states in S0 that falsifies ϕ, then it would have included a state from Sd that falsifies ϕ, in which case the first item would have applied. Similarly, if there existed a possible set of initial states that enables verification of ϕ, then it would have clearly been a subset of S0 T , thus the second item would have applied. References [1] S. Shoham, O. Grumberg, 3-valued abstraction: more precision at less cost, in: Twenty-First Annual IEEE Symposium on Logic in Computer Science (LICS), Seattle, Washington, 2006, pp. 399–410. [2] E. Clarke, O. Grumberg, D. Peled, Model Checking, MIT Press, 1999. [3] G. Bruns, P. Godefroid, Model checking partial state spaces with 3-valued temporal logics, in: Computer Aided Verification, 1999, pp. 274–287. [4] D. Kozen, Results on the Propositional μ-Calculus, TCS 27. [5] K.G. Larsen, Modal specifications, in: J. Sifakis (Ed.), Proceedings of the 1989 International Workshop on Automatic Verification Methods for Finite State Systems, Grenoble, France, LNCS, vol. 407, Springer-Verlag, 1989. [6] K. Larsen, B. Thomsen, A modal process logic, Proceedings of the Third Annual Symposium on Logic in Computer Science (LICS), IEEE Computer Society Press, 1988, pp. 203–210. [7] D. Dams, R. Gerth, O. Grumberg, Abstract interpretation of reactive systems, ACM Transactions on Programming Languages and Systems (TOPLAS) 19 (2). [8] K. Namjoshi, Abstraction for branching time properties, Proceedings of the 15th International Conference on Computer Aided Verification (CAV’03), LNCS, vol. 2725, Springer, Boulder, CO, USA, 2003, pp. 288–300. [9] D. Dams, K. Namjoshi, The existence of finite abstractions for branching time model checking, 19th IEEE Symposium on Logic in Computer Science (LICS), IEEE Computer Society, 2004, pp. 335–344. [10] L. de Alfaro, P. Godefroid, R. Jagadeesan, Three-valued abstractions of games: uncertainty, but with precision, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science (LICS), 2004, pp. 170–179. [11] S. Shoham, O. Grumberg, Monotonic abstraction-refinement for CTL, in: 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol. 2988, LNCS, Barcelona, Spain, 2004, pp. 546–560. [12] K. Larsen, L. Xinxin, Equation solving using modal transition systems, in: J. Mitchell (Ed.), Proceedings of the Fifth Annual IEEE Symposium on Logic in Computer Science (LICS), IEEE Computer Society Press, 1990, pp. 108–117. [13] P. Cousot, R. Cousot, Abstract interpretation frameworks, Journal of Logic and Computation 2 (1992) 511–547. [14] P. Cousot, R. Cousot, Comparing the Galois connection and widening/narrowing approaches to abstract interpretation, Proceedings of the Conference on Programming Language Implementation and Logic Programming (PLILP’92), LNCS, vol. 631, Springer-Verlag, 1992, pp. 269–295. [15] R. Cleaveland, P. Iyer, D. Yankelevich, Optimality in abstraction of model checking, in: Static Analysis Symposium (SAS), 1995, pp. 51–63. [16] D.A. Schmidt, Closed and logical relations for over- and under-approximation of powersets, in: Static Analysis Symposium (SAS), 2004, pp. 22–37. [17] A. Gurfinkel, O. Wei, M. Chechik, Systematic construction of abstractions for model-checking, in: Conference on Verification, Model Checking and Abstract Interpretation (VMCAI), 2006. [18] P. Cousot, R. Cousot, Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, in: popl4, Los Angeles, California, 1977, pp. 238–252. [19] P. Godefroid, M. Huth, R. Jagadeesan, Abstraction-based model checking using modal transition systems, in: Proceedings of CONCUR’01, 2001. [20] G. Bruns, P. Godefroid, Generalized model checking: reasoning about partial state spaces, in: CONCUR’00, vol. 1877, 2000, pp. 168–182. [21] P. Godefroid, R. Jagadeesan, Automatic abstraction using generalized model checking, Proceedings of Conference on Computer-Aided Verification (CAV), LNCS, vol. 2404, Springer-Verlag, Copenhagen, Denmark, 2002, pp. 137–150. [22] C.S. Pasareanu, R. Pelánek, W. Visser, Concrete model checking with abstract matching and refinement, in: Computer Aided Verification (CAV), 2005, pp. 52–66. [23] A. Tarski, A lattice-theoretical fixpoint theorem and its applications, Pacific Journal of Mathematics 5 (1955) 285–309. [24] M. Huth, R. Jagadeesan, D. Schmidt, Modal transition systems: a foundation for three-valued program analysis, in: European Symposium on Programming (ESOP’01), vol. 2028, 2001, pp. 155–169. [25] P. Godefroid, R. Jagadeesan, On the expressiveness of 3-valued models, Proceedings of VMCAI’2003 (4th Conference on Verification, Model Checking and Abstract Interpretation), LNCS, vol. 2575, Springer-Verlag, New York, 2003, pp. 206–222. [26] P. Cousot, R. Cousot, Systematic design of program analysis frameworks, Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL), ACM, New York, NY, USA, 1979, pp. 269–282. [27] R. Giacobazzi, F. Ranzato, F. Scozzari, Making abstract interpretations complete, Journal of the ACM 47 (2) (2000) 361–416. [28] R. Giacobazzi, E. Quintarelli, Incompleteness, counterexamples, and refinements in abstract model checking, Static Analysis Symposium (SAS), LNCS, vol. 2126, Springer-Verlag, 2001, pp. 356–373. [29] D. Schmidt, Comparing completeness properties of static analyses and their logics, Asian Symp. Prog. Lang. Systems (APLAS’06), LNCS, vol. 4279, Springer-Verlag, 2006, pp. 183–199. [30] F. Ranzato, F. Tapparo, Strong preservation as completeness in abstract interpretation, Proceedings of the European Symposium Programming, LNCS, vol. 2986, Springer-Verlag, 2004, pp. 18–32. [31] F. Ranzato, F. Tapparo, Strong preservation of temporal fixpoint-based operators by abstract interpretation, Conference on Verification, Model Checking and Abstract Interpretation (VMCAI), LNCS, vol. 3855, Springer-Verlag, 2006, pp. 332–347. [32] S. Shoham, O. Grumberg, A game-based framework for CTL counterexamples and 3-valued abstraction-refinement, Proceedings of the 15th International Conference on Computer Aided Verification (CAV’03), LNCS, vol. 2725, Springer, Boulder, CO, USA, 2003, pp. 275–287. (to appear in TOCL).